European Cyber Security Perspectives 2017

European Cyber Security Perspectives 2017| 1 Preface

Dear Reader,

Greetings and a warm welcome to our fourth issue of the European Cyber Security Perspectives Report!

We could not be more excited to have made it to this point. We have never had a more stellar collection of articles or a wider selection of partners to work with.

Our articles range from topics like DDoS, , Quantum Key Distribution, Baseband issues, so read on! This year, in addition to our very popular sticker and puzzle sheets, we have also included a centrefold which is meant to be used as a poster for developers. We have further enriched the timeline that you see at the footer of the ECSP with a collection of tweets that we thought were insightful and fun.

When we set out to create a magazine that would promote the collection of different views regarding information security, we tried to encourage a diversity of opinions that could also communicate at various levels rather than the monolithic, statistical reports that we all sometimes read. What you will find in the pages of the ECSP report is a collection of inspired and instructive articles written by real security folks who work hard in the trenches, but who are not afraid to admit the struggles we sometimes face. We believe that with open and inclusive collaboration we have a chance to improve the security odds in our favour.

We are honoured to share the work of so many committed and thoughtful people, you rock!

We appreciate your support through the years and are so happy to have you as a reader again for this year’s European Cyber Security Perspectives Report.

With warmest thanks, The Editors @KPN CISO

P.S. Let us know what you think on with @ECSP17 or e-mail [email protected] Contents 1. Cyber threats coming of age (Wouter Oosterbaan, NCSC) 4 2. SafeMail @ KPN (Michel Zoetebier, Eva Kelder & Ruud Leurs, KPN) 6 3. Ransomware as a Threat (Steven Wilson, Europol) 9 4. A game well play (Peter Zinn, Nationale Politie) 11 5. Security and Safety, Plain and Simple (Rejo Zenger, Bits of Freedom) 13 6. Adapt or become extinct! (Martijn van Lom, Kaspersky Lab Benelux) 16 7. Remote SIM Provisioning (Daan Planqué, KPN) 18 8. Energy sector cyber security 2.0 (Gisele Widdershoven, Accenture Security) 20 9. Breaking your band: one byte at a time over the air (Ömer Coşkun, KPN) 22 10. Puzzle time! 25 11. Stop Chasing Your Tail ( John Michelsen, Zimperium) 28 12. My First Golang Project (Bouke van Laethem, KPN) 28 13. IoT: next big thing or next big fear (Vito Rallo & Bram van Tiel, PWC) 32 14. (Ir) responsible Disclosure (Arnim Eijkhoudt & Wesley Post, KPN) 35 15. Cyber Value at Risk (Maarten van Wieren & Vivian Jacobs, ) 37 16. Dealing with Global Distrubuted Denial of Service (Oded Gonda, Check Point Software Technologies) 40 17. From 01010100 01100101 01100011 01101000 T0 Talk (Mandy Mak, KPN) 42 18. Cyber security today and tomorrow (Bruno Huttner & Kelly Richdale, ID Quantique) 44 19. Combining tactics (Rob Vercouteren, Stefan Zijlmans & Anne-Sophie Teunissen, KPN) 46 20. What you need to know about research in 2016 on human factors in cyber security (Dianne van Hemert, Carlijn Broekman, Helma van den Berg & Tony van Vliet, TNO) 48 21. REDteaming @ KPN (Mark de Groot & Sander Spierenburg, KPN) 51 22. Managing Mayhem (Maarten Bodlaender, Philips) 54 23. Internal Threat Management (Nick Mann, Nick Mann Associates Ltd & Chairman of GSMA and Security Advisory Panel) 56 24. Every CERT must continue to train (Wesley Post, KPN) 62 25. Overview contributing partners 64

January 5 6 Dutch Government Destructive Disakil New attack against embraces encryption, linked HTTPS, “Bicycle attack”. denounces backdoors. to Ukraine power outages. 2 | European Cyber Security Perspectives 2017 Quotes contributing partners

Jaya Baloo Rejo Zenger CISO, KPN Policy Officer, Bits of Freedom

‘Our challenges were never greater nor were the threats to ‘Meaningful security is way more than just the development confidentiality, integrity, and availability never sharper than of another unbreakable encryption cypher. It's about making today, where weaknesses in information security lead to technology accessible to all users that need it. It's about making it geopolitical instability. In a world where old vulnerabilities both transparent and verifiable at the same time. Despite having show up in new technologies, and hardware and software pretty good solutions available, the implementation is too often vendors are not held to account, our capability to prevent, too poor. It’s about users being integral part of security design detect, and respond is minimal. We need to gather our and fixing the lack of usable interfaces.’ forces and refocus our splintered security landscape. We need to embrace disruptive security innovation and reclaim our right to our own data. Progress of technology should be measured by the degree to which security and privacy are ensured at inception. The time is now.' Steven Wilson Head of EC3, Europol

Hans de Vries ‘Europol is fully committed to supporting the enlargement Head of the Dutch National Cyber Security Centre of the No More Ransom project within the EU and (NCSC) internationally to respond to ransomware in an effective and concerted manner," says Steven Wilson, head of the European Centre. "Despite the increasing ‘Over the past years we have seen the growth of connectivity. challenges, the initiative has demonstrated that a coordinated Connectivity can be comforting: smart thermostats automatically approach by EU law enforcement that includes all relevant controlling heating, smart watches watching over your partners can result in significant successes in fighting health. At the same time, the risks of these devices are often this type of crime, focusing on the important areas of underestimated. This is not limited to the prevention and awareness. We are very pleased to see how within one’s personal environment. Incidents in other countries the online portal has improved since it was launched. All show us can cause great impact, for example when police forces are warmly encouraged to join the fight.’ they are used to bring down power grids or when personal IoT devices are used to perform DDoS attacks on websites. Cyber threats are coming of age, affecting individuals, organisations and society. Digital attacks stress the need to take action. I actively embrace and encourage Dave Klingens joint efforts: both the public and private sectors need to work together on improving our resilience.' Director Cyber Risk Services, Deloitte

‘Cyber risk models for quantifying risk are beginning to gain broader acceptance.’ Gert Ras Head of department THTC & TBKK, Nationale Politie Bruno Huttner ‘Law Enforcement is a great asset within the realm of cyber ID Quantique & Chairman of the Quantum-Safe security. It is the instance with legal powers to hold perpetrators Security Working Group, organized by the Cloud accountable for high tech crime, and to obtain data through investigations. In our aim to keep the Netherlands cyber-safe we Security Alliance are connected to successfully cooperate with many partners to bring these perpetrators to court, but moreover to impinge on ‘In order to protect our cyber security infrastructure from the their criminal business models.’ threat of the quantum computer, we have to plan the transition to quantum-safe security right now.’

Cyber criminals abuse the free Let's Encrypt certificate system to smuggle malware onto computers.

January 7 11 rejection of SHA-1 Trend Micro anti-virus software leads to other security gave any website command vulnerabilities. line access to Windows PCs. European Cyber Security Perspectives 2017| 3

Maarten Bodlaender Annemarie Zielstra General Manager Philips Security Technologies Director Cyber Security & Resilience, TNO

‘Automatic exploit generation. High-speed hacking. New words ‘People should become the strongest link when it comes to cyber for many of us. While many IoT vendors are still busy fixing security. Proper cyber behaviour should be in the DNA of any simple blunders like hard-coded passwords, DARPA showed organisation. Awareness, education and culture play a role in that the next few generations of exploits are already on their way. this, but further applied research needs to show how the human While we often distinguish between simple and sophisticated factor can truly evolve towards the strongest force in combating attacks, it doesn't really matter: once a sophisticated exploit has cyber risk. TNO has the multidisciplinary knowledge to help been automated and scripted, it works for everyone. Until the organisations develop such DNA. To strengthen the human industry learns how to limit (the impact of) exploits, large- factor and enrich it with cutting-edge technologies that meet the scale like Mirai will continue to find a fertile ground specific needs of an organisation.’ in the Internet of Things. New building blocks, new security technologies are needed to build systems that withstand an increasingly sophisticated array of cyber attacks.’ Gerwin Naber Partner Forensics, PWC Michael Teichmann EALA Resources lead, Accenture ‘Today, organisations want to hear about innovative new approaches to cyber security and privacy—not the same rehash of fear, uncertainty and doubt (FUD). They want to move beyond ‘The insider threat is as important to understand and mitigate as FUD and think more broadly about cyber security and privacy as the external, given the deep knowledge an insider may have and both protectors and enablers of the business, hird party partners the fact that an external actor may have compromised an actual and customers.’ user account, impersonating the ‘insider’ for malicious purposes.’

John Michelsen, Gabi Reish Chief Product Officer, Zimperium VP of Product Management at Check Point

‘You are most vulnerable to cyberattacks on your mobile devices.’ 'We are more connected than ever before, and innovations in cloud services, mobility and IoT are rapidly changing the way that we deploy and use technology. But we are also seeing dramatic increases in threats and attacks by criminals who are also trying to exploit these technologies. Cyber security is the Martijn van Lom business enabler that allows organizations to take full advantage of digital innovations and drive their business, by keeping them General Manager, Kaspersky Lab Benelux one step ahead of cyber threats and preventing attacks before they happen. Check Point is committed to staying focused on its customers’ needs, and developing solutions that redefine the ‘There is an alarming change in the nature of cyber attacks: from security landscape today and in the future.' computer systems to politics. This affects people’s daily lives significantly. Besides losing money, people are losing something that is even more precious: trust. Trust in things connected to the Internet, in having privacy, in the government protecting you and in information are a few examples. Especially trust in information is currently under pressure. With targeted misinformation - James Moran through often trustworthy channels – cyberattacks can influence Head of Security GSMA and manipulate people and their thoughts, opinions and actions. It’s becoming more and more challenging for people to understand what is true and what is fake with sometimes major ‘Like most industry sectors we now consider internal consequences on national, regional and even global levels. compromise to be one of the foremost‎ threats facing us and we are striving to increase cognisance across our membership.’ Another issue is that while cybercriminals are working together globally, nations are often not able to do the same because of politics. This allows cyber criminals to attack countries and get away with it. If we want to successfully fight cyber crime, private and public parties need to fight together, not only nationally but also internationally.’

Turkish carder SSH backdoors FDA Issues Guidelines scores record discovered in on Medical Device 332-year jail term. Fortinet firewalls. Cyber security.

January 12 15 18 20 Apple Gatekeeper European Human vulnerable for Rights Court rules mass security bypasses. surveillance illegal. 4 | European Cyber Security Perspectives 2017

Cyber threats

Wouter Oosterbaan, NCSC coming of age

Professional criminals and state actors are an ever greater by criminals is becoming ever more sophisticated and danger to digital security in the Netherlands. Campaigns therefore more credible. Spear is thus becoming by professional criminals with the objective of monetary increasingly difficult to fight with security awareness. gain is a growing problem. This group has evolved into Prolonged campaigns with large investments and sophisticated actors and carry out long-lasting and high- advanced spear phishing were, in the past, the terrain of quality operations. Foreign intelligence services on the state actors. one hand focus on economic espionage: companies in top sectors are being attacked, putting pressure on the Digital espionage by foreign intelligence services competitive position of the Netherlands. On the other puts the competitiveness of the Netherlands hand, political espionage in the digital domain is second to under pressure and undermines political and none: the Dutch government suffers regular digital attacks. governmental authority The past year has seen many digital attacks on companies That is apparent from the Cyber Security Assessment in the Netherlands in which the motive was economic Netherlands 2016 (CSAN 2016), published in espionage. Espionage for economic purposes is harmful September 2016 by the National Cyber Security to the position of the Netherlands. These attacks focused Centre (NCSC). The CSAN is drawn up in close on acquiring technology that sometimes still has to prove collaboration with a large number of partners, both its value. Two thirds of the affected companies were from private and public sectors. It offers insight into unaware of these attacks. Next to economic espionage, the interests, threats and resilience, as well as the foreign intelligence services actively collect digital related developments, in the field of cyber security. political information in the Netherlands. The Dutch government suffers regular digital attacks. Political Professional criminals have evolved into espionage undermines political and governmental sophisticated actors and carry out long-lasting authority and is therefore a threat to the democratic and high-quality operations legal order. Intelligence agencies find that state actors Campaigns by professional criminals are becoming more increasingly use digital tools to achieve their strategic and more sophisticated. In the past, the digital attacks objectives, to resolve (international) conflicts and to and associated campaigns by criminals were often of support, in some cases, an armed struggle. short duration and focused on earning quick money by targeting a great number of parties. Criminals in the past Ransomware is commonplace and has become year have, implemented a number of campaigns where even more advanced huge investments have been made and which show a The use of ransomware by criminals in the past year has high degree of organisation. In addition, spear phishing become common. Infections are everyday occurrences

Linux bug imperils tens of millions of PCs, servers, and Android phones.

January 20 22 Aeroplane parts manufacturer Attackers compromise FACC Operations loses over 3,500 public servers in 54 million dollar to cyber fraud. possible reconnaissance drive for future attacks. European Cyber Security Perspectives 2017| 5

and affect the entire society. Whereas in the past the Advertising networks have not yet shown the same price had to be paid per infection, the price is ability to cope with now determined on the basis of the type of affected The distribution of malware via ads on major websites is organisation. In addition, the malware itself is more a problem. Advertising networks have not yet been able sophisticated: in addition to files on the local disk, to find solutions to this problem. Malvertising through nowadays databases, backups and files on network drives advertising networks remains an effective method for are encrypted. Various sectors indicate that the mode of disseminating malware using exploit kits. In the past infection with ransomware is changing. Previously, these period, this also affected popular Dutch websites. The were only random infections. Now, several vital sectors wide range of advertising networks provides, along indicate that they are regularly confronted with person with the large number of systems from which the latest or organisation-targeted phishing e-mails by which updates are missing, a large attack surface. Operators of attackers try to install ransomware. There are indications these websites and advertising networks themselves do that criminals more often use ransomware to target not have full control over the ads. This makes it possible organisations. Sometimes, they use an adjusted (higher) for malware to be spread. Complete ad blocking in the ransom demand for this and they focus on vulnerable browser affects the business model of website owners. To targets where continuity is important, such as hospitals protect users against malvertising without blocking all and care facilities. ads, fundamental changes are needed in the way these networks work.

Table 1 Threat matrix

Table 1 Threat matrix Targets

Source of the threat GTaovergetrnmes ntsPrivate organisations Citizens

SourceProfessional of th ecriminal threats GovernmentsPrivate organisations Citizens information information information Professional criminals informatioManipulationn of informationMinformatioanipulationn of informationMinformatioanipulationn of information

ManipulationDisruption of ITof informationMDisruptionanipulatio ofn ITof informationMDisruptionanipulatio ofn ITof information

DisrIT tauptionkeover of IT ITDisruption takeover of IT ITDisruption takeover of IT

State actors DigiIT tatakel overespionageDITigit takeal overespionageDITigit takeal overespionage

State actors Digital espionageDigital espionageDigital espionage Terrorists Disruption/takeover of IT Disruption/takeover of IT

CyTerrorisber vandts als and script Disruption/takeover of IT Disruption/takeover of IT kiddies Cyber vandals and script Disruption of IT Disruption of IT kiddies Hacktivists Disruption of IT Disruption of IT obtained information obtained information Hacktivists obDefacemetained infont rmation obDefacemetained infont rmation

DefacemeDisruptionnt of IT DefacemeDisruptionnt of IT

DisrIT tauptionkeover of IT ITDisruption takeover of IT

Internal actors IT takeover IT takeover selling of information selling of information Internal actors selDisrlinguption of information of IT selDisruptionling of information of IT

Cyber researchers DisrReceivinguption an ofd IT publishing DisruptionReceiving an ofd IT publishing information information Cyber researchers Receiving and publishing Receiving and publishing Private organisations information information Commercial use/abuse or ‘resale’ espionage) of information Private organisations Commercial use/abuse or ‘resale’ No actorIT failureIespionagT failureIe) ofT fainfoilurrme ation

No actorIT failureIT failureIT failure No new trends or phenomena are recognised New trends and phenomena are observed There are clear developments which make that pose a threat. that pose a threat. the threat expedient. Change with respect to CSAN 2015. ORNo new trends or phenomena are recognised NeORw trends and phenomena are observed TherOR e are clear developments which make that pose a threat. that(limited pose) measures a threat. are available to remove the threat expedient. Change with respect to CSAN 2015. ORthe threat. ORthe threat. remainOR s substantial. OR (lORimited) measures are available to remove OR Nothe appreciablthreat. e manifestations of the threat thIncie dentthreast. have occurred outside the remainIncidents ssubstantial. have occurred in the Netherlands. occurredOR during the reporting period. ORNetherlands and there have been several OR No appreciable manifestations of the threat Inminocidentr insci havedent soccurred in the Netherland outside ths.e Incidents have occurred in the Netherlands. occurred during the reporting period. Netherlands and there have been several minor incidents in the Netherlands.

January 26 Critical cross-site scripting vulnerabilities found in Magento e-commerce platform. 6 | European Cyber Security Perspectives 2017

SafeMail @ KPN Getting a grip on some of the

Michel Zoetebier, Eva Kelder & Ruud Leurs, KPN oldest internet protocols

With ongoing phishing attacks, CEO/CFO fraud and Standards fake invoices loaded with ransomware, e-mail remains a To obtain absolute control of the domain being used in widely-used entry point for criminals. e-mail communications, and to implement an anti- spoofing mechanism, KPN has chosen to implement the If we do not take e-mail anti-spoofing measures, we standards: SPF2, DKIM3, DMARC4 and S/MIME5. invite attackers to simply send e-mail on behalf of legitimate company domains. The lack of these measures More visibility: DMARC RUA also removes the foundation to build a proper awareness For more visibility on the use of a domain in e-mail program. Customers, employees and business relations communications, it is not needed to have SPF and/or are not able to visibly recognize a legitimate e-mail DKIM implemented. Based on DMARC alone a “none” and are unable to distinguish phishing attempts from policy can be published in DNS, including a mailbox real corporate communications. As a result, trust in to obtain so called Aggregate Data (RUA) reports from the official e-mail communications of a company other networks. The DMARC “none” policy tells the deteriorates. In December 2016 it was announced1 that receiving e-mail server not to reject any message in the name of KPN is abused the most in fake emails. case the SPF and/or DKIM check fails. RUA reports are sent when an e-mail server receives an e-mail message Stop! containing the domain for which the DMARC records are The decrease of trust in legitimate e-mail communication published in DNS. These reports include the IP address has to stop. By using open standards, KPN CISO has that was used for sending out the e-mail. This will create been given the chance to take back control of the usage an overview of IP addresses using the domain in e-mail of KPN’s domains and to regain the trust in KPN’s e-mail communications. communication. The goal of this project (called SafeMail) is to make it visibly recognisable that a received e-mail When tagging the IP addresses of legitimate e-mail is a legitimate message and to prohibit the rest of the servers for a domain as valid (green) and all other internet to (ab)use KPN’s domains.

(1) www.emerce.nl/nieuws/naam-kpn-meest-misbruikt-nepmails (2) SPF: Sender Policy Framework, an email anti-forgery system (3) DKIM: DomainKeys Identified Mail (DKIM) is an method designed to detect email spoofing. (4) DMARC: Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email-validation system designed to detect and prevent email spoofing. (5) S/MIME: S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data.

January 27 Arbor Networks reports PayPal patches worlds largest DDoS server remote code attack of 500 Gbps. execution flaw. European Cyber Security Perspectives 2017| 7

IP space as invalid (red) and plot the IP addresses onto a scale of KPN, this would result in an extremely big record. map, it will look like: More importantly, to what extent is a company able and should it be willing to extend its trust towards external IP addresses? People can make mistakes, servers can be compromised and the simple process of keeping the list of IP addresses up to date is often forgotten.

To make sure none of these “mistakes” will lead to non-deliverability of important e-mail messages, and to prohibit blacklisting of the SafeMail SMTP servers, only the IP addresses of the SafeMail outbound SMTP servers will be included in the SPF record of KPN. This record will be the basis for a DMARC policy that will prohibit the rest of the internet to (ab)use the corporate domains of KPN.

Now what? Instead of a big messy SPF setup, KPN has created one central e-mail platform that will proxy all e-mail communication from all internal and external applications. By doing this, only the SafeMail outbound SMTP servers should be allowed to send e-mail on behalf of KPN’s domains. When you visualise the before and after situation it looks like this: A graph based on the amount of e-mail received in time for a specific domain can also be created: BEFORE

Hotmail.com Gmail.com KpnMail.nl …

[email protected] [email protected] [email protected] March 2016 April 2016 May 2016 [email protected] [email protected] [email protected] [email protected] “Mixed” and “Unknown” data means hat, purely based 3rd Party 3rd Party KPN: KPN: KPN: for KPN for KPN on the RUA reporting, a message could not be marked as Invoices Newsletters … Legit/Abusive. This visualisation underlines the issue and MailChimp … the way the internet looks at the domain e-mail usage. Why are others using your domain? Mostly, because it’s technically possible. AFTER

Hotmail.com Gmail.com KpnMail.nl … SPF SPF is a good basis for DMARC. Its use without DMARC is seen in a lot of domains. Even though publishing the outbound SMTP servers for legitimate e-mails in a SPF SafeMail record in DNS helps in the filtering and reputation with Proxy receiving e-mail servers, purely rejecting/accepting e-mail based on SPF records will lead to false positives. Because SPF is used widely on the internet many

incorrect SPF records exist. Spammers and phishers have 3rd Party 3rd Party KPN: KPN: KPN: for KPN for KPN also been setting up domains with proper SPF records to Invoices NesLetters … circumnavigate filters for a long time. MailChimp …

A common way to publish all legitimate e-mail servers in an SPF record is to include the IP addresses of external Technically this is not hard to implement, but a critical parties. This way little effort is needed to combine all ingredient for this recipe is a complete overview of e-mail communications in one policy. The SafeMail all internal and external applications and third party team received many requests to include external IP suppliers that send out e-mail using the domain you want addresses in KPN’s SPF record. In a company with the to build the policy for.

American hamburger chain giant Wendy's hacked.

January 27 29 PayPal patches HSBC banking server remote code services offline due execution flaw. to DDoS attack. 8 | European Cyber Security Perspectives 2017

The real challenge question mark. Online e-mail platform GUI’s display Constructing this overview was done based on a the text “the origin of this e-mail message cannot be three-way strategy: confirmed and might be harmful”. When messages • Internal communication campaign asking all to report are DKIM signed, the question mark changes into a e-mail communications colored icon containing the first letter of the domain. • Collecting all current e-mail relay server log files into The difference between non-signed and DKIM-signed one database messages are visualised in these screenshots: • Logging the internal network on port 25 to obtain sending IP addresses S/MIME

Obviously, this will lead to a mismatch in what is known and what is actually seen on the network. Besides the recurring “who is the owner or administrator of this server?” question that will fly around for some time, the challenge is to create a best effort based overview of all e-mail sending applications and 3rd parties. Doing this also helps with testing and improving the accuracy of the CMDB.

Another outcome of this inventory of e-mail addresses is the realisation that the use of e-mail addresses has grown astonishingly. Should there really be hundreds of different no-reply addresses? Why are invoices being sent from dozens of e-mail addresses? Based on this discovered information, the rationalisations of e-mail addresses has been included in the project and the use of generic e-mail addresses has been added to the companies’ security policy. Also, for the implementation of S/MIME a reduced set of e-mail addresses comes in handy to minimize the amount of certificates needed.

The external challenge By enclosing a S/MIME certificate with the e-mail, External parties need to be approached in a completely the sending server ensures the body of the e-mail has different way. KPN has outsourced most e-mail sending remained unchanged until received by the end user. activities to specialised external parties. These parties This certificate also triggers most e-mail clients and have frequently implemented SPF, DKIM and sometimes online e-mail services to show a colored security symbol, DMARC. Companies outsource their e-mail sending which is visualised the same way HTTPS is for internet activities to these specialized parties because this websites. When companies start using this in a consistent adds value in e-mail deliverability and reliability. and transparent way, it creates a strong basis for e-mail security awareness programs. Normally such parties ask companies to include their IP addresses in the SPF record, as mentioned earlier. KPN Conclusion now asks them to stop sending the e-mail directly, and Rolling out these standards can be a tough challenge, to deliver the e-mail message to the SafeMail proxy of and has many dependencies. For the strongest and most KPN. Applications that compose the e-mail messages, effective implementation of this security design, many like invoices and customer satisfaction surveys, are often internal and external parties are required to actively integrated to local SMTP platforms. Technical changes change the way they are handling KPN e-mails, like are needed in these environments to deliver the e-mails checking on SPF, DKIM and DMARC policies before to the SafeMail proxy. Changing the way of sending delivering e-mails to the end users. Regionally and/or out e-mails by these parties needs to be a joint effort to nationally deploying these standards on both outbound ensure the e-mail deliverability. and inbound e-mail communications improves e-mail security drastically and is definitiely worth the lengthy DKIM process of implementation. While DKIM tells other servers a message originated However, attackers are already acting on the situation from the announced server by signing the message with a when networks will have implemented these e-mail private key, end users normally don’t look at the headers standards. By registering look-a-like domains, hacking of e-mail messages. Fortunately, the top mail providers known legitimate websites and using the e-mail security are using DKIM to check if the messages originated from standards as a weapon to avoid filtering, the cat and the announced domain and show this to their users. mouse game never ends... In apps, non-DKIM-signed e-mails are shown with a

February 2 Result of TalkTalk hack publiced: Researchers find Company loses 100k customers vulnerability in and £60 million. two-factor authentication. European Cyber Security Perspectives 2017| 9

Ransomware as a Threat Steven Wilson, Europol

Ransomware is a type of malware that locks the victims' The sale of variants of ransomware within criminal computer or encrypts their data, demanding them to communities (Ransomware-as-a-Service) is also a pay a ransom in order to regain control over the affected significant issue, as individuals and groups have access to device or files. Ransomware is often spread through instantly distributable ransomware. After an encryption malicious spam emails, which contain attachments or ransomware infected a substantial number of computer links to websites which then download the ransomware. systems, German law enforcement began investigating Another way in which ransomware is spread is through the online network it originated from, named ‘Avalanche’. compromised or hacked webpages, which contain scripts This platform had been used by cybercriminals since to download the ransomware on to the victim’s device. 2009 to conduct malware, phishing and spam activities: more than 1 million e-mails with damaging attachments After ransomware has been downloaded and executed, or links were being sent every week to unsuspecting victims find their personal files have been encrypted victims. On 30 November 2016, after more than four years and they cannot run particular software, or their screen of investigation, the Public Prosecutor’s Office Verden has been locked. Alongside this, a message from the and the Lüneburg Police (Germany), in close cooperation malicious actor is displayed, informing the victim that with Europol, Eurojust, US agencies and global partners, their device has been locked and/or their files have been dismantled this platform. encrypted, and they must pay the attacker a particular amount of money, often in , in order to have NO MORE RANSOM Initiative control restored. On 25 July 2016, Europol, the Dutch National Police, Intel Security, and Kaspersky Lab joined forces to The Internet Organised Crime Threat Assessment launch an initiative called No More Ransom, a new (IOCTA) 2016, the flagship strategic publication of step in the cooperation between law enforcement the Europol’s European Cybercrime Centre (EC3), and the private sector to fight ransomware together. identifies ransomware as a significant cyber threat: The non-commercial initiative established an almost two-thirds of law enforcement in EU Member online portal – www.nomoreransom.org – to inform States are conducting investigations into this form of the public about the dangers of ransomware, malware attack, and the number of victims is increasing. how it works and how to protect themselves. According to Kaspersky Lab, the number of users attacked by crypto-ransomware rose by 5.5 times, from In order to better assist victims from all over the world, 131,000 in 2014-15 to 718,000 in 2015-16. While the target the online portal is available not only in English, but is often individual users’ devices, corporate and even also in Dutch, French, Italian, Portuguese and Russian. government networks are affected as well. Translations into yet more languages are currently

February 3 Researchers find EU Commission and vulnerability in United States agree on new two-factor framework for transatlantic data authentication. exchange EU-US Privacy Shield. 10 | European Cyber Security Perspectives 2017

Only during the first two months, more than 2,500 visitors successfully managed to decrypt their devices without having to pay the criminals, using the main decryption tools on the platform.

ongoing, and their implementation will follow in the The Future of Ransomware coming months. A number of international threat intelligence and research organisations have identified the rapid Alongside prevention advice and the option to report development of ransomware campaigns, and the a crime which is forwarded to relevant authorities, increasing targeting of public and private industry the portal contains more than 160,000 keys, with over in more sophisticated means, as opposed to broad twenty five decryption tools listed on the website. The campaigns targeting unsuspecting individuals. It has initiative is always in the process of welcoming new been predicted that, despite the volume and effectiveness public and private sector entities in an effort to step up of ransomware decreasing, the number of successful the fight against this significant threat, with additional attacks on Internet of Things (IOT) devices will increase decryption tools being developed and made available to greatly. This is particularly concerning for the healthcare victims. Due to the constant evolution of ransomware, industry, as hospitals have been frequently targeted by decryption tools must be developed regularly alongside ransomware attacks such as Locky and Samsam, the the prevalence of new ransomware families. latter being delivered through exploiting vulnerabilities in an organisation’s networks and servers. Only during the first two months, more than 2,500 visitors successfully managed to decrypt their devices without The recent developments in the sophistication of cyber having to pay the criminals, using the main decryption threats including ransomware show that, whilst No More tools on the platform. This has deprived cyber criminals Ransom has undoubtedly been a success, prevention and of an estimated EUR 1.35 million in ransom payments, victim support campaigns such as this must continue an amount that keeps growing on a monthly basis. EC3 and develop in line with the tools used by cybercriminals. recommends that victims of ransomware do not pay the This can only be done with the continued cooperation ransom. By doing so, they will be financing other forms and collaboration with private sector and industry. of criminality, and there is no guarantee that victims will regain access to their files and computer.

Kaspersky Lab cracks digital walls of a Moscow hospital and finds an array of open doors on the network and weaknesses in medical devices and crucial applications.

February 9 10 Vulnerabilities identified in smart Google warns Gmail thermostats made by Trane users about unencrypted allows malicious to gain messages. complete control of the devices. European Cyber Security Perspectives 2017| 11

A game well played Peter Zinn, Nationale Politie

The cyber security world sometimes seems to resemble a Strategy chess game. The red team makes bold moves and attacks To understand what happened next let’s have a closer wherever it can. The blue team plays slowly, carefully, look at the strategy of the Dutch NHTCU. and defensive. Red often wins. In our investigations we try to follow these four steps - but not necessarily all of them: Björn and Gijs This particular game went a bit differently. It started in 1. Victim support Sweden when a CISO, let’s call him Björn, got hit with 2. Damage mitigation the Coinvault ransomware. Infected but by no means 3. Disruption of the criminal business model helpless, he followed the traces of the malware and 4. Attribution and bringing to justice identified a Dutch C2 (Command & Control) server it was connecting to. Good move. He then contacted the These steps show that police investigations are not solely completely unaware owner of the server, let’s call him aimed at attribution. Attribution is hard, costly, and not Gijs, who traced the malware on his server and was able always most effective. Since law enforcement often has to extract the decryption key Björn needed. Then Gijs unique data and capabilities they can play a pivotal role contacted the police. Another good move. in the first three steps. Which also fits in nicely with the police task of providing help to those in need. NHTCU Gijs simply called the general police number. The days Never alone where you call the police for phishing and get sent to the None of the four steps can be performed alone. water police are long gone - Gijs was directly connected Attribution in cybercrime almost always needs to the Dutch National High Tech Crime Unit (NHTCU). international police cooperation. For the first three steps Within an hour we started a preliminary investigation public-private partnerships are a must. In this case, with of the C2 database. It was a client database of sorts, the victim database in our hands, we wanted to create with information on all the computers infected by the an opportunity for the victims to obtain the decryption ransomware. Nice catch. key - for free. We reached out to our partners and found Kaspersky Lab willing to build a decryption website for Coinvault victims. Good move, especially since that meant they needed to work under the time pressure of a judicial investigation.

ENISA has weighed into the cryptography Flaws in wireless mice debate, warning that crimping cryptography and keyboards let will “create vulnerabilities that can in turn be hackers type on PC's. used by criminals and terrorists”.

February 14 16 23 24 PBX phone system U.S. Federal Trade hacking yields criminals Commission and Asus $50 million over four years. settle security case. 12 | European Cyber Security Perspectives 2017

Sharing data Kaspersky and us independently traced the suspects, in The data we needed to provide Kaspersky with, completely different fashions. Even though the criminals in order to build the cleaning tool for the victims, should have been warned by their databases being taken did not contain any personally identifiable offline, they simply continued their actions. Game over. information, which made sharing and caring a lot easier. While they were working, we found another So, with an unusual amount of blue players doing the Coinvault C2 server. We secured it (victim support, right thing, we won. But hat is just one game. There is attribution) and took it offline (damage mitigation, a match to worry about. There are it seems a gazillion disruption). Extra input for the Kaspersky tool. different types of ransomware out there and every single day people and companies get hit. Would not it be Have your cake and eat it possible to scale-up the cooperation with Kaspersky? Some people argue that victim support, damage With more law enforcement and more AV on board, more mitigation and disruption harm your chances of victims can be helped. successful attribution. After all, you are warning the suspects. But as far as we have seen, it might actually That is how the No More Ransom initiative was born. increase the chances of capture. In this case, both Good move.

Apple wins ruling French government in New York iPhone wants legislation to force hacking order. companies to cooperate with decryption or get fined.

March 1 7 Dutch company The Cloud Security Alliance Vaulteq introduces (CSA) released an important physical password new research report about manager. cloud computing threats. European Cyber Security Perspectives 2017| 13

Security and Safety, Plain and Simple Rejo Zenger, Bits of Freedom

Even though there were a record 32 million departures of model? Do we need to redesign the construction of the large aircraft in 2013, there were “only” 137 fatalities due landing gear? Or do we need to revise the procedures to accidents. In the ten-year period before, there were when taxiing from the runway to the gate? These 0.6 fatal accidents per one million flights. One of the recommendations are then systematically shared in the reasons for this surprisingly low number of fatal incidents industry, making traveling by plane safer for all of us. is the ability of the aviation industry to learn from mistakes. We should start doing the same with incidents Surprisingly, none of that happens when there is an in the digital world. incident in our digital environment. Of course, incidents are being investigated. However, those investigations are Whenever a plane has crashed, the first priority is to commissioned or done by the affected organisation and provide assistance to any survivors. Right after that, all aim to limit the damage to its own interests – especially efforts are put into the recovery of the two black boxes – the damage to the image of the organisation. The results which are often orange to increase the chance of finding are kept secret or shared haphazardly with the most them. One of the boxes records all the instructions sent demanding customers. At best, the results are used to to the electronic systems of the aircraft. The other records improve the internal monitoring system. Of course, this is conversations in the cockpit, radio communications somewhat exaggerated. Fact is: as a community, and as a between the cockpit crew and others, as well as ambient society at large, we miss a great opportunity to learn and sounds. These recorders are designed to capture all to improve the security of our digital infrastructure. important data and can withstand great external impact. Black boxes are key tools in determining what has caused In the Netherlands, just like everywhere else, many the crash. agencies and institutions have a role to play in the aftermath of a plane crash. On the trail of the emergency The purpose of these investigations is plain and simple: services you’ll see the public prosecutor, salvage finding out what we can do to prevent a similar businesses, insurance companies and many other accident from happening. Did the pilot misread the organisations. They clean the site, chase after those who altitude on the cockpit panel? Was there some are responsible to try and get compensation and they mechanical failure that caused the suspension to prosecute the guilty. Perhaps the most important work is break upon touchdown? Was the collision of two done by the Dutch Safety Board (DSB). They document planes caused by confusing taxiing procedures? In every known detail that has led up to the crash and make other words: Is there some mechanical part that needs recommendations for preventing a similar accident. preventive replacement in planes of the same make and

March 10 Hackers breach Bangladesh Bank US hotel chain Rosen Hotels & Resorts and steel $80 million via breach discloses its payment network has of SWIFT banking software. been compromised with with malware gathering creditcard data for 18+ months. 14 | European Cyber Security Perspectives 2017

The easiest way to improve the security of key IT systems for our society, is to start learning from our mistakes.

Accidents in the transportation sector have been of our cars, access to emergency services, financial examined on a fairly structured basis since the early transactions or the navigation of planes. If any of those 20th century, albeit never by a fully independent systems is prevented from operating for more than a body. This only changed at the end of the century, couple of days, or maybe even just a few hours, it could together with the most pivotal improvement: blame derail our society considerably. When these kind of was explicitly excluded from the investigation process attacks cannot be contained, it will undermine the trust in order to maximise the effectiveness. The DSB was of citizens and may trigger societal unrest. established in early 2005 (after the fireworks disaster in Enschede and a devastating fire in a bar in Volendam). Given our reliance on those systems and the immense It is allowed to initiate investigations into accidents in impact a disturbance of these systems may have, we the various transport sectors, as well as in the fields of need to do everything within our reach to eradicate defence, industry and commerce, health, nature and vulnerabilities. We need to make sure that the software environment, crisis and emergency. created is based on solid security practices and is audited frequently. We need to make sure that closed software Strangely enough, the DSB focuses on situations where developers are liable for the products they put out on people are dependent on others for their safety, but the market. We need to make sure that the government doesn’t investigate incidents in the digital domain - doesn’t introduce any new vulnerabilities in the form of even when vulnerabilities in our industry can have an backdoors. We need to make sure that all vulnerabilities immense impact on the safety of large groups of people. we come across, are swiftly reported to those who are And because of the architecture of these systems, people accountable and responsibly disclosed to the general can’t defend themselves against that impact. public as soon as possible.

These systems are entrusted with the data about millions The easiest way to improve the security of key IT systems of people. This can be sensitive data where people rely on for our society, is to start learning from our mistakes. the protective measures of companies and governments. It would be fairly stupid to, after handling an incident, It is not just the data users more or less knowingly share, make the same mistake that led to that incident over and the same goes for the data that is generated by all the over again. The only way to prevent this from happening devices in our homes. Soon everyone will have dozens of is by investigating security incidents transparently and connected devices in their home, continuously sharing thoroughly and create recommendations for preventive our private lives with the outside world. Vulnerabilities measures. Therefore, I propose the establishment of a in those systems makes that sensitive data s accessible new organisation with the sole purpose of investigating to criminals. Vulnerable IT systems lead to vulnerable security incidents in the digital realm in order to prevent societies. similar incidents from reoccurring. In other words, a cyber-incarnation of the Dutch Safety Board. We have become highly dependent on the availability There are a number of vitally important requirements of our IT systems. As a result, incidents may affect the for such an investigative body. First and foremost, it supply chain to supermarkets, the correct functioning needs to be fully independent. If it’s not independent,

Researchers find iOS-malware in the official Apple App Store that uses previously unknown ways to infect iPhones and iPads.

March 11 14 16 The discovery of a in a new Advertisements on msn.com EDA2-based ransomware allows 700 infected and bbc.com are spreading computers to be decrypted without paying. ransomware. European Cyber Security Perspectives 2017| 15

it won’t be trusted. Without the trust, investigations Finally, there will be way more incidents than any will be obstructed and the reports not taken seriously. organisation is able to investigate. With the right set As the primary objective is to learn from mistakes, an of priorities, the organisation should be able to make environment of trust is necessary. a selection that allows for a thorough investigation of a limited number of incidents while maximising the Secondly, these investigations may not be part of an effectiveness of the outcomes. Without a doubt, the investigation into guilt or liability. That should be organisation should investigate high impact incidents explicitly ruled out. Only when investigators have full in systems that are vitally important to our society. At access to all relevant data, they will be able to make the same time it should look into the low hanging fruit: a factual, accurate and explanatory analysis. If the incidents with small impact, hitting large groups of owner of the system, that has caused or discovered an people. The latter could be done, for example, based on incident, can’t be sure that the information he shares is the notifications of data breaches that are made to the not used against him, he will be reluctant to cooperate. Dutch DPA. The organisation could investigate every 50th Information handed over to the investigative body can’t incident and publish a yearly summary of quick wins. be shared with insurance companies or law enforcement. If there is a need from law enforcement or others, those One unanswered question remains: What is the digital institutions should seek access to that information based infrastructure equivalent of the black box? on their own powers.

Because we need to learn from these incidents, this new organisation needs to be transparent and should extensively publish its findings. The reports should detail all the facts that led up to the incident, including the impact of the security breach. It needs to present readily applicable and relevant recommendations to enable others to prevent similar incidents. It should also provide suggestions for detecting early warnings and how to reduce the impact in case something goes wrong. Of course, this may mean that classified business information becomes public. The risk of disclosure can be decreased by reporting just facts in a timely manner. In any case the public interest should outweigh the interests of the individual company or government institution.

That does not mean the government has no role to play whatsoever. The opposite is true: the government needs to fund such an organisation as well as create the legal environment in which it can operate. When investigating security incidents in the digital realm, the investigators will need to have access to the systems in which a vulnerability has been abused. That requires investigatory powers to obtain access to documents and systems that are otherwise out of reach of an independent and non-law enforcement organisation. It needs to have the power to make copies of data carriers, audits and everything else that it deems relevant to the investigation. All of this requires a new bill that needs to be proposed and approved by the parliament.

The organisation should consist of a team of experts. While many of the incidents will have a root cause in a non-technical area, technical expertise will be required for a thorough examination in many other investigations. The organisation needs a number of forensic and security experts for all kinds of digital systems. Without losing its independence, the organisation may exchange experience and knowledge with experts from CSIRTs.

PETYA Crypto-ransomware FBI Breaks into Overwrites MBR to Lock Users Terrorist’s Out of Their Computers. Encrypted iPhone.

March 22 28 When an external party offered a Kentucky Hospital solution to decrypt the iPhone of one Declares ‘Internal State of the San Bernardino criminals, the FBI of Emergency’ After dropped their charges against Apple. Ransomware Infection. 16 | European Cyber Security Perspectives 2017

cyber security is not a state that you can achieve, it’s a journey. It is actually a lot like evolution: flexibility and adaptability are essential in order to survive. Adapt or become extinct! Cybersecurity requires

Martijn van Lom, Kaspersky Lab Benelux flexibility to survive

“It is not the strongest of the species that survives but the sound defeatist - or like a commercial pitch from most adaptable to change”, is a profound saying credited a security vendor - but it’s really sound advice. Advice to Charles Darwin. While he didn’t literally state it that to survive. way, his famous work ‘On the origin of species’ does shed light on the need to adapt in order to survive. The theory Cyber insecurity can lead to extinction. Not just virtual of evolution shows that the adaptation to changing extinction but the out-of-business kind of extinction. circumstances is what gives a species better chances for The ongoing spate of big, sneaky, spectacular and even survival than its competitors. long-hidden security incidents has proven that cyber insecurity is a malady that plagues many ‘species’ in our Darwinism modern world. We at Kaspersky Lab know that all too The same applies to cyber security. The current well. We have also been hacked, a painful fact that we did landscape of digital threats is quite different from that not hide but broadcast to the world, so that we, but also of just a few years ago. True, some cyber risks are old, others, can adapt and survive. well-known and seemingly survivable. Some of those older cyber risks still hurt and cause damage. In addition Now, a lot of the companies and organizations that have to those older risks, there are new and changing digital been breached, are still standing. Do not interpret that dangers on the horizon: the so-called ‘evolving threats’. as a debunking of Darwinism in cyber security. It took a long time for the dinosaurs to go extinct and some of Not the strong, not the smart and not even the secure are them held out for quite a bit longer than others. In the guaranteed to urvive, at least not in the long run. Those end, lack of change is what killed off many species. that are strong now probably have a weakness that will be Cyber insecurity will also take its toll. exploited later. Those that are smart now can be foolish with new developments. Those that are secure now may Aim for the impossible just think that they are. It’s a well-known saying in Cyber security is what we all want, or rather: it’s what IT security that: “It is not a matter of whether you get we all need. It’s a goal that you need to keep striving hacked but when”. for. However, it’s not a set state that you can attain and then preserve. The ‘you’ in this statement is applicable Assume the worst to consumers, employees, executives and politicians, as A modern evolution of that saying is that you are well as companies, non-profits, NGO’s, countries and probably already hacked, but you just don’t know it yet. broader entities such as the European Union. Perfect So it would be best to assume that your organization security, which gives you a hundred percent protection, and its IT systems have already been breached. This may is not possible.

April 3 4 13 Panama Papers Turkey breach spills Matthew Keys released. info on more than sentenced to two half its citizens. years for aiding . European Cyber Security Perspectives 2017| 17

This does not mean that we should give up. We, A good, Darwinistic response to incidents like these the security industry, telecommunications sector, is to study them, learn from them and then change in the IT users and society at large, need to aim response. That change is not something to be done just in for perfection even when we know that this is reaction to past incidents. Change should also be forward unattainable. By striving for the impossible we looking. Try to imagine the creative new ways in which will create an ever better security: in products, in adversaries could try to go after you, your assets and systems, in processes, in skills and in mentality, even even your connections to others. Sometimes, a hacked though every inch towards that impossible goal is organization is not the real goal, but just a mean to an exponentially more costly to reach, a bit like the end. Some of the more impactful hacks in recent history high cost of the ‘last mile’ in the telecoms world. have been done through intermediaries, partners and other links. The cost equation Now, here’s the good news: the problem of exponentially Stop being static higher costs is something that can be turned against In a sense it’s good when a company or organization has our adversaries. Just because a hundred percent been hacked, not too devastatingly, of course. It’s good perfect security is impossible to reach, this does if the victim has survived the attack, learned from it and not mean that ideal security is out of reach. Ideal adapted. Like a home-schooled child that has never had protection is a level of security which is realistically the flu, the first infection will hit hard. And in the case of attainable – meaning that it’s feasible as well as cyber attacks, that first hit will come, sooner or later, or it affordable in relation to what’s to be protected. has maybe already happened, unnoticed.

From the viewpoint of potential victims, ideal protection Darwinism is the key to survive cyber insecurity. is achieved when the cost to hack your system is higher The trick to achieve Darwinesque adaptability is than the cost of the potential damage that could be to stop being static. Don’t just list and defend your caused by a hack. To put this in terms of the current cyber assets. Realize that, over time, some assets devaluate crime environment: ideal protection is achieved when and some protections erode. Make a graph of your the cost of a successful attack is greater than what an assets and your security measures. Scale up your attacker could gain from a hack. valuations and change your protections. Keep up! Beware of snake oil salesmen who peddle the Two sides of the coin marketing magic of so-called ‘nextgen security’. Unfortunately, the huge strides we’ve made in information technology and telecommunications work The bigger picture both ways. The technical progress helps modern usage, Don’t focus on specific security incidents. Instead, facilitates new business models and enforces cyber concentrate on potential attackers and correlate security. At the same time it makes new cyber crimes seemingly individual incidents to see patterns. Look at and illegitimate business models possible, feasible and the bigger picture. Don’t try to do all this by yourself, ultimately affordable for the bad guys. The shining coin of because nobody can. Sharing information, between IT evolution has a dark other side. businesses (yes, even your competitors!) and/or with law enforcement agencies equals learning, which in Naturally, there are cases where the cost of a successful turn helps us all to adapt. We showed that it could be attack does not really matter. This applies to certain kinds done: the ‘No More Ransom’ initiative1 that consisted of of hack goals and certain kinds of attackers. Like state- Kaspersky Lab, Europol and competitor Intel Security, backed hackers who are out to sabotage, steal, spy or helped thousands of people in the Netherlands and even make cyber war. This is not scaremongering or just a Belgium last summer. This could not have been possible theoretical possibility, this is stark reality. without working together.

Sabotage, spying, theft Lastly, take Gartner’s advice for adaptive security Costly and complex cyber sabotage has already been architecture to heart, and change retrospective security done. A prime example is the sophisticated worm into a continuous cycle. That model delivers predictive which disabled Iran’s nuclear program, even before and preventive security, whilst also giving you detective 2010. Costly and complex cyber theft has also been done. capabilities to respond quickly to threats. Evolve, or be a A recent example is the illicit money wiring through victim of ‘natural cyber selection'! hack attacks on banks via the international SWIFT system (Society for Worldwide Interbank Financial Telecommunication).

(1) https://www.nomoreransom.org/

3.2 Million servers Gold-mining firm vulnerable to JBoss attack. Goldcorp hacked, its data leaked online.

April 15 18 19 U.S. government tells US Office of Personel Windows customers to Management hacked. delete QuickTime due to hacking dangers. 18 | European Cyber Security Perspectives 2017

Remote SIM Provisioning New standard adds new

Daan Planqué, KPN risks to the mobile domain

The world of mobile phones and their accompanying network called the Authentication Center (AuC). Now networks is one of constant high-speed innovation. The that the mobile network and the SIM card both know the Netherlands hasn’t even had a 4G network for 5 years and Ki, they can prove the others identity via a pre-defined the trials for 5G have already started. On top of that there algorithm2. This measure counters the possibility of an is a new standard in the works at the GSMA1, a mobile attacker impersonating (i.e. spoofing) a SIM card or industry standards body that will, change the concept of mobile network. The Ki also allows for the creation of the SIM card as we know it. However, this new standard, an encrypted connection between the smartphone and as it currently stands, will introduce new security risks the radio network of the mobile operator preventing that make it increasingly easy for an attacker to listen-in anyone from listening or manipulating phonecalls or or manipulate voice or data traffic. In the following data traffic. In other words, keeping the Ki secret is of paragraphs, I will explain why these risks exist, what they paramount importance to guarantee the confidentiality might mean for you or your company, and what you can or authenticity of the mobile connection. do to reduce or remove them altogether. Another benefit of a SIM card is the possibility to swap First some background it if the trust in the security of the Ki or the connection Before explaining the risks of the new GSMA standard, is lost as a new SIM card means a new Ki. In the future, some background knowledge on SIM cards and such a swap might not be possible anymore if a switch encryption is required. For a smartphone to work it needs to embedded or integrated SIM cards is made. These to have a SIM card from an operator with whom t has new SIM cards, called eUICC or iUICC (embedded or a subscription for voice and/or data. The smartphone integrated Universal Integrated Circuit Card), will either will create an encrypted connection with the mobile be soldered onto the motherboard of the phone (eUICC) network once the SIM card is unlocked with a PIN code. or integrated into the processor (iUICC). The question This is possible because the mobile network and the SIM then is: “How does the phone know what operator it card both know a unique secret key called the Ki. This wants to connect to?” and this is where the new GSMA key is created during the production of the SIM card standard comes into play. and is hardcoded in the chip, which means the key is programmed into the card in a manner that it cannot be Remote SIM provisioning changed or removed after the fact. After the production of A cooperation of international telecom operators and a SIM card, a copy of the Ki is securely sent to the mobile vendors of mobile systems3, who are all members of the operator, who then stores it in a database in the mobile GSMA, are developing the new standard called Remote

(1) GSMA (www.gsma.com) (2) An example algorithm is Milenage specified by the 3GPP (www.3gpp.org) (3) Examples of mobile system vendors are: Samsung and Apple who create smartphones, Vendors who produce SIM cards such as Gemalto and Morpho, and Cisco or Ericsson who create the IT systems used by mobile network operators.

April 20 Four hundred million vulnerable Viber is now end-to-end Androids are out there. There's encrypting phone calls still too many unpatched Android and messages. devices, Google reckons. European Cyber Security Perspectives 2017| 19

SIM Provisioning (RSP). The RSP standard consists of Soooo, why should I care? multiple documents, some of which are still in draft, and With the outline of the basics of RSP in mind, lets describes how the systems that provide the provisioning consider the fact that the SM-DP+ stores all key material functionality work together. and is connected to the internet. Combine that with the The RSP standard will bring many changes with it. The fact that there is only one Root CA, which also must be main difference will be that a SIM card has its subscription connected to the internet in order to verify the identity profile, which includes the secret Ki key, installed by a of systems in the RSP infrastructure. On top of that, that remote server. This remote server, called the SM-DP+ the Ki, which is used to encrypt the phone call between (Subscription Management – Data Protection), will store a smartphone and the base station of a mobile network, the subscription profiles of one or multiple telecom is stored in the SM-DP+. So, when the SM-DP+ is hacked operators in its own Hardware Security Module (HSM). and the attacker can retrieve the Ki’s, all traffic between When a mobile device requests a profile, the SM-DP+ will mobile devices and base stations can be decrypted. ask the respective operator for approval and, if received, This would allow a criminal to clone a SIM card and call will send the complete subscription profile, including the expensive phone numbers for financial gain or prevent Ki, over a TLS encrypted channel via the internet to the you from connecting to the mobile network. What if the SIM card. only Root CA for mobile networks is compromised and all certificates need to be revoked? How can the SM-DP+ This encrypted channel is where another important part or a SIM card verify identity? And once this situation of the RSP infrastructure comes into play, namely the will occur, how can the ‘chain of trust’ be rebuilt and the Public Key Infrastructure (PKI). The PKI is used to ensure Root CA certificate, that is stored on the SIM card, be that the authenticity of the systems in the RSP network replaced? How can the Root CA be replaced in a secure can be verified. For RSP, the idea is to create a specialised and trustworthy manner if the SIM card cannot verify the Root Certificate Authority, ‘owned’ by the GSMA and identity of the mobile network? The only solution then trusted by all the members who use the system. The RSP is to replace the processor or motherboard of the device. Root CA signs the certificates of the systems, such as the Also, don’t forget the wonderful world of IoT devices with SM-DP+, as well as the certificate for the SIM vendor a mobile connection such as cars, sensors, fridges, or (EUM) that allows it to create and sign the certificates alarm installations. These will, as with the smartphone, for the SIM cards. This ‘Chain of Trust’ allows a SIM card all require their motherboard or processor to be replaced to verify the identity of a SM-DP+, because it has been if the profile ever needs to be changed. For example, signed by the Root CA it knows and trusts. Likewise, when wanting to switch to another provider or a new the SM-DP+ knows and trusts the certificate of the SIM subscription. And what about all the embedded devices card because it knows and trusts the Root CA. When the used for remote management of industrial devices such identities have been verified the SM-DP+ and SIM card as cars, trains, or power plants? It would be an utter and can create an encrypted channel and exchange the new complete nightmare. subscription profile. Oh dear! Should I panic? No, you should not panic. As I said before, these CI-A standards are still being developed and some are still in the draft phase. At KPN, we have expressed our Root CA concern and are working on improving the standard documents together with the GSMA and partners involved. You, as a user, can also prevent eavesdropping by adding another layer of encryption to your mobile traffic, for example by using HTTPS when browsing the web, using Silent Phone for voice calls, or by using EUM Signal or Threema as messaging apps. If you want to Distributed go even further you can ask your telecom operator if EUM Sub-CA they are aware of these security risks and ask them, if necessary, to act. In the end, it comes down to the SM-DP importance of taking security into account right from SM-DP the start when designing a new system or standard. Certificates eUICC This goes, not only for the systems of vital importance eUICC to modern society, but also the smallest and least- Certificates significant devices there are. Because even a simple DVR can, in large numbers, take down the internet.

Figure 1 - PKI infrastructure of RSP

Waze traffic app allows user tracking.

April 25 26 Hundreds of Spotify credentials Site for ‘beautiful’ appear online – users report people suffers ugly accounts hacked, emails changed. million-member breach. 20 | European Cyber Security Perspectives 2017

Energy sector cyber security 2.0:

Gisele Widdershoven, Accenture Security Pro-active approach needed to tackle insider threats

Successful attacks and a potential for wide-scale perimeter defences. With the use of social engineering disruption have made the oil & gas, chemicals and to bypass these defenses through fraudulent access to utilities industries prime targets for cyber attackers. employee credentials, we need to extend our thinking to Enterprises operating in these sectors are strongly cover threats from the inside – where the attacker could advised to update their security practices to address be masquerading as an employee, or could also be a insider threats. valid employee with a grudge. According to a 2015 survey performed by SANS1, “insider threat” was regarded as one While most of the current attention has been given on of the top security threats by 48% of the participants. the threats to the electric grid worldwide, oil and gas have been almost forgotten in the media and research Social engineering is proving to be devastatingly effective planning. The US Department of Homeland Security in gaining access to secure systems by exploiting a lack of even states that the energy/oil-gas sector is the most security awareness of employees. The economic necessity attacked industry worldwide. Oil and gas production of converged IT/OT infrastructures has meant that the is part of nations’ critical infrastructure, with many cyber attacker potentially has a wider attack surface to thousands of miles of exposed pipelines, making them exploit. As the Ukrainian blackout proved, it is possible to vulnerable to both cyber and physical attacks. This makes gain access to and disrupt the OT domain by exploiting them an attractive target for nation-states, hacktivists, security weaknesses in the IT domain. splinter groups, lone actors and terrorists. In 2016 the number of cyber attacks has increased Risks are underestimated beyond the 2015 count, and companies are reporting Major oil and gas companies worldwide, such as Saudi that they are losing confidence in the ability of their Aramco and QatarGas2 have experienced devastating own organisations to detect and deter increasingly insider cyber attacks, resulting in the shutdown of vast sophisticated cyber attacks. parts of their operations for pro-longed periods of time. It seems as if companies are underestimating the risks that Insider threats energy production and production operations are facing. Conventional Enterprise security mechanism are designed Although awareness of the need for effective security is to keep the ‘bad guys’ out – and have tended to focus on growing, there is still a wide-scale lack of understanding

(1) SANS white paper “State of security in control systems today” (2) Sources: Insiders exploiting privileged accounts likely behind Saudi Aramco attack (infosecurity-magazine.com); Insiders Implicated in Saudi Aramco Attack (securitywatch.pcmag.com); Thinking about Security from the Inside Out (www.wired.com); Natural gas giant RasGas targeted in cyber attack (www.scmagazine.com); US officials: Cyberattacks on Aramco, RasGas may have come from Iran (dohanews.co).

May 2 3 ‘Smart’ Home let Michigan power and hackers unlock water utility hit by doors and set off ransomware attack. fire alarms. European Cyber Security Perspectives 2017| 21

the potential vulnerabilities present in industrial control Disgruntled employees, laid-off or misjudged personnel, systems, which is compounded by growing threat levels, can easily rationalise their actions when crossing and the potential for insider threats is largely overlooked. ethical lines. Looking at these potential threats in your organisation, while bringing in new cyber security Holistic approach frameworks or workflows is not an easy task. The main At a Society of Petroleum Engineers (SPE) conference, difficulty is to bring in a purely technical approach into several speakers indicated that the responsibility for contact with the Alpha-world (emotions and personnel cyber security should not be the sole responsibility of backgrounds), as shown in the attacks inside Aramco3, the IT department. A more holistic approach is required which were all expedited by insiders. to counter the growing cyber security threats linked to social engineering, human interference or insider threats, Interaction on all levels which are largely linked to human factors. The total Eliminating insider threats necessitates interaction on all organisation needs to become involved with security in a levels between HR, legal, HSE and IT departments, and pro-active and consistent manner. necessitates increased vetting of personnel. This should be conducted on a continuous basis, perhaps supported Looking at the overwhelmingly complex organizational by social media data mining or other legal assessments structure of international oil and gas companies - which to be able to pro-actively approach possible breaches or are not only financially and commercially integrated, but outright theft, sabotage, ransomware or worse. also in their technical operations - a lack of awareness in This approach will involve increasing the assessment of one department will constitute a threat to all. human behaviour through increased social media tools to keep an eye on out-of-area/over-the-horizon social The weakest link media activities of employees or third parties. At present, most energy or water companies are looking solely for their cyber security to their IT departments, and The use of new tools to access and address official open sometimes involving operational groups to support their source information will become a major new security tool efforts. However, looking at the insider threat parameters, to provide more actionable data to increase a company’s several other groups should be involved at the same time own security environment but also will give it the tools to to counter possibly increased threat opportunities. The put in place a more pro-active approach to counter future underestimated role of human resources, HSE (Health, threats. The inclusion of all departments, HR, IT-Security Safety and Environment) and even finance, is clear. and operations, is a clear need. Addressing potential Personnel is, at present, always the weakest link in any future threats inside your company, based on human operational security approach. Personal issues will affect factors, will need a more active HSE/Security awareness the effectiveness of any cyber security approach. within the HR departments too.

At the same time, based on growing integration and Cyber security 2.0 specialisation of oil and gas operators, but also power Behavioural analysis is needed not only to keep your and water companies, engineering projects such as personnel out of risks but also to prevent future threats. drilling, seismic, geophysics or construction, always Social engagement and behavior on the Internet, involves third parties at the premises. especially after working hours, could indicate a negative development that could lead to an insider A risk to be addressed is the need for third party and threat opportunity. At the same time, social behaviour contractor involvement in the normal day-to-day on the Internet/dark web or even grey web, needs business of companies. This increases the potential risks to be addressed and taken into account. Networks of interference by contractors using insecure practices, of individuals indicate increasingly the possibility of or intent on causing cyber damage if they are not threats. Data is available, but actionable data is hard appropriately vetted. to find. Cyber security 2.0 is needed, which should be a symbiosis between human or behavioural analysis Disgruntled employees (Alpha) and pure IT systems and algorithms (Beta). As The range of potential insider threats is wide, but can long as algorithms and IT systems are not as smart as a range from disgruntled former employees with technical human brain, human analysts will be needed to counter knowledge, to commercial spies or non-state/state a potential insider threat which is developing outside of actors. For normal employees to become insider threats the company but will be targeting inside operations. is not an enormous leap.

(3) Sources: Insiders exploiting privileged accounts likely behind Saudi Aramco attack (www.infosecurity-magazine.com) Insiders Implicated in Saudi Aramco Attack (securitywatch.pcmag.com); Thinking about Security from the Inside Out (www.wired.com).

FTC to study mobile Firefox asks Feds to device industry's security disclose security update practices. hole, they used to hack suspects.

May 6 7 9 12 Kroger notifies The LAPD hacked UK Court tells employees of W-2 into an iPhone for Government breach involving a murder case. ‘Hands off’ ’s Equifax service. encryption key. 22 | European Cyber Security Perspectives 2017

Breaking your band: one byte at a time over the air Ömer Coşkun, KPN

Introduction of ~70 concurrent-threads which can handle signal and Modern computer systems – smartphones, PCs, video processing, GPS, and mass storage (SD cards) etc.3 embedded devices 1 – are comprised of multi-layered operating systems. This is unlike the conventional The following photo shows the internal structure of an description from Computer Science books, which states iPhone 5/5s, utilized Qualcomm MDM9615 baseband that single monolithic pieces of software manage each mobile data modem (highlighted in blue)4. piece of hardware, from CPU, the video card, and up to the wireless connectivity.

Let’s take smartphones for instance, it actually runs two operating systems; the first layer (Android, iOS, Windows Mobile etc.) is the layer we, the end-user, interact with and the baseband operating system2. The baseband lays in firmware that runs the baseband Figure 1: iPhone 5/5s internal circuit board structure processor, which is relatively tiny and operating invisibly. Merely to responsibly process everything related to radio Baseband RTOS architecture and cellular data. Hexagon is Qualcomm’s digital signal processor used in the Snapdragon series on-the-system chip Baseband (RTOS) Real-Time operating system for supporting CPU and DSP functionality in deep The functionality of baseband is time-critical, therefore embedded processing. The hardware utilizes VLIW a real time operating system (RTOS) is required on its architecture, variable instruction lengths and a very long architecture. For instance, the RTOS in Qualcomm instruction word processor architecture with hardware Snapdragon’s baseband processors’ use a VLIW (very long multi-threading. instruction word), and a proprietary REX kernel, made

(1) The second operating system hiding in every mobile phone (www.osnews.com) (2) Baseband processor (wikipedia.org) (3) Qualcomm Snapdragon 805 Processor (www.qualcomm.com) (4) iPhone 5/5s internal structure (www.techinsights.com)

KPN to implement quantum encrypted connection (QKD).

May 16 17 18 Gatecoin Claims $2 Million VMware updates in and ethers lost products to patch critical, in security breach. important flaws. European Cyber Security Perspectives 2017| 23

The hexagon is a 32-bit architecture, which operates with Despite the fact that the analysed firmware makes an 32 bit registers over 32-bit addressing space. Instructions attempt to prevent reverse engineers, from obtaining could be grouped together for parallel execution, with valuable information about its property. It still leaks a each group containing one to four instructions together. lot of useful information in the firmware, even when The following screenshots a sample disassembly of a encrypting some of the binary sections. hexagon binary using IDA Pro’s Hexagon Plugin5: The firmware, for instance, contained vendor related specific versioning and digital certificate information which were readable by a standard text editor.

Figure 2: Disassembly of a hexagon binary using IDA Pro

The main characteristics of hexagon’s assembly analysis show that it’s specifically intended for digital processing jobs with a fully-featured general purpose architecture, with a strong focus of computationally expensive operations such as vector and floating-point operations.

Interestingly enough, the hexagon architecture permits encoding of two instructions to one, in the sense of compound and duplex instructions. (E.g. two atomic instructions combined into one or two consecutive operations grouped together)

Analysis of a smartphone’s DSP firmware Figure 4: DSP Firmware containing vendor related information A smartphone’s baseband firmware is not different than a standard elf-executable (ELF), but it’s compiled for Offensive exploitation scenarios hexagon's architecture. Therefore, it may be analysed by on baseband RTOS the GNU-Toolchain which consists of tools such as GCC, The DSP firmware binary is based on VLIW architecture OBJDUMP etc. with variable length instructions and multi-threading. This architecture exploits data, instruction and thread The following screenshot shows that the smartphone’s level parallelism with application specific instructions DSP firmware is correctly recognised by the (compound instructions, e.g. 1 DWORD does 2 things GNU-Readelf. in parallel) to achieve efficient data re-use and less power consumption.

According to disassembly analysis with a tool called IDA Pro and by reading the Qualcomm documentation6; it was found that the chipsets use the following security features: safe unlinking (heap), NX also known as non-executable(heap/stack), kernel/user-mode separation (a.k.a. SMEP), however, there is NO ASLR (Address Space Layout Randomisation) in place. This eases an attacker’s work to achieve command execution on a victim’s phone. Additionally, stack usage/allocation is similar to x86 with a little difference – stack frames are 8-byte aligned instead of 16 bytes on x86 systems. Figure 3: GNU-Readelf correctly recognises the DSP firmware

(5) IDA Pro’s Hexagon Plugin (.com) (6) Qualcomm developer reference manual (developer.qualcomm.com)

Thousands of Ubiquiti AirOS routers hit with worm attacks.

May 19 23 Metadata from Student convicted after phone calls finding encryption flaws in ‘reveals personal government network. information’. 24 | European Cyber Security Perspectives 2017

Having all this in mind, exploitation of multi-threaded Conclusion applications is difficult. In general due to dealing Achieving code execution on a baseband’s RTOS would with race conditions and difficulties with achieving mean control over millions of phones, regardless of its Turing-completeness when it’s required to have certain brand, since they mostly use the same chipset. Therefore, conditions to be met during exploitation. (i.e. tracing attacking the baseband’s RTOS has always been high messages across multiple tasks, monitoring IPC etc.) profile and a well-compensated target for black-hat hackers and intelligence agencies alike. Specially, the exploitation in this (VLIW) architecture is harder, due to existence of compound/duplex It was actually hinted out by Edward Snowden in 2014, instructions. This creates constraints for re-usable that NSA and other intelligence agencies could remotely standard library code (a.k.a ROP gadgets). This can, turn on a phone and record everything by exploiting a however, be overcome by automating the constraint vulnerability in the baseband’s RTOS or sending their handling with help of memory sanitizers and constraint own modified firmware to a victim’s phone through an solvers. (i.e. LLVM7, SMT solvers8). Manual gadget writing innocuous looking firmware update9. would require alternating in gadgets, and de-allocation of the frame (JMP R31) to achieve Turing completeness due to trampoline calls in hexagon instructions.

(7) LLVM Compiler Framework (clang.llvm.org) (8) Z3 Microsoft SMT Solver (github.com) (9) How the NSA can‘turn on’ your phone remotely (money.cnn.com)

DDoS attacks via TFTP protocol become a reality after research goes public.

May 24 31 FBI warns against wireless Sandjacking attack keystroke loggers disguised puts iOS devices at at USB chargers. risk to rogue apps. European Cyber Security Perspectives 2017| 25

1) Puzzle time! Can you crack these puzzles?

1) 1

2) +++++[>+++++++++++++++++>+++++++++++++++++ ++++>++++++++++++++++++++++++>+++++++>++++2) ++++++++++++++++++>+++++++++++++++++++++++ >++++++++++++++++++++++<<<<<<<-]>-.>-.+.>-+++++[>+++++++++++++++++>+++++++++++++++++ ----.>---.<+.<----.>++++.----.>.>-.<<<----++++>++++++++++++++++++++++++>+++++++>++++ .>+++++.>.>+.+.<<-----.>.>---.<<-----..--- -.>.<+.---.++.<++++.>>.<<----.>>>>-.++.<<.++++++++++++++++++>+++++++++++++++++++++++ 2<<+.>>>>+.-.<<.<--.>>>.<<.<<++.>>>+++.<<<+>++++++++++++++++++++++<<<<<<<-]>-.>-.+.>- .>>>++++.<.<<-.>>>----.<.<<---.>>.<--.>>.. <<<+++.>>.<+++.+++++.<--.>>.>>>-----.<<<<-----.>---.<+.<----.>++++.----.>.>-.<<<---- .>.<--.+++..----.--.+++++.<+++++.>>.<.<--..>+++++.>.>+.+.<<-----.>.>---.<<-----..--- >+-++++.<-.>>>>+-+++++.<<<<<<+++++-++++++.-.>.<+.---.++.<++++.>>.<<----.>>>>-.++.<<. <<+.>>>>+.-.<<.<--.>>>.<<.<<++.>>>+++.<<<+ .>>>++++.<.<<-.>>>----.<.<<---.>>.<--.>>.. <<<+++.>>.<+++.+++++.<--.>>.>>>-----.<<<<- .>.<--.+++..----.--.+++++.<+++++.>>.<.<--. >+-++++.<-.>>>>+-+++++.<<<<<<+++++-++++++.

3) ilua dt slt reiia ttc ots bh oenhaoefp 33) ilua dt slt reiia ttc ots bh oenhaoefp

Check page 63 for the correctOplossingen: answers 1) Some text looks like art 2) This text may not look like art but it does do a good job in looking nerdy June 1 3) This is all about14 the art of deception Criminals behind LURK Democratic National Committee malware arrested. report that they have been hacked. 26 | European Cyber Security Perspectives 2017

Stop Chasing Your Tail

John Michelsen, Zimperium

These days, the computers most vulnerable to a cyber Why is this important? threat in the enterprise are mobile phones and tablets. With iOS and Android platforms continuously evolving, Security teams are totally blind to the risks these devices it is crucial to detect attacks without having to update pose for the enterprise and are unable to deal with a detection engine. Having to update your detection threats as they appear. Many enterprises manage device engine to recognize a threat will continuously put you access to corporate resources, networks and identity, steps behind cyber attackers. Constantly updating your but they can’t remediate a threat they can’t identify. As detection engine to protect yourself from an attack is more of our computing goes directly from mobile device only useful if you know of all of the attack methods, but to cloud services, network threat detection solutions are you can’t possibly know all of them. It is an impossible ineffective, since data often resides outside the corporate task since cyber criminals are constantly trying new data center. There has to be a better way to remediate and techniques to avoid detection. Once an attack method identify mobile device attacks and risks in the enterprise. has been publicly disclosed, a hacker or nation-state is less likely to use it. In essence, you are looking for attacks In December of 2016, Ian Beer, from the Google Project no longer being used. Zero research team, released his local elevation of privileges exploit targeting Apple’s iOS 10.1.1. iOS is the Take for instance the attack targeting human impenetrable operating system said to be secure with its rights activist Ahmed Mansoor in September 2016. “walled garden” approach, right? Well, we viewed this Pegasus is a device-level exploit identified in the wild latest attempt as another opportunity to assess a new after researching a link in an SMS sent to Ahmed. Having zero-day exploit against our machine-learning attack and been targeted before, Ahmed is aware of the dangers of exploit detection engine – z9. constantly being connected and would be considered an advanced smartphone user. After receiving a text After a test in our mobile research lab, z9 detected, once he suspected was malicious, he sent it to a lab for again, a previously unknown attack. Beer’s 10.1.1 exploit investigation. After testing, the text proved to be an allows remote shell access as root. z9 detected the attack advanced kernel-level exploit, activated remotely by a without needing an update to see this threat. Since we group targeting Ahmed in order to take over his device didn’t require an update, our customers were protected and track his whereabouts and data. Our detection at a time when the vulnerability didn’t have an official engine detected this attack without needing an update name, marketing campaign or disclosure. to recognize this vulnerability. Apple later fixed the vulnerability and pushed out an update.

Google Project Zero team Researchers releases report with multiple RCE release a paper vulnerabilities in Symantec and on transmitting Norton products. data via pc fans.

June 15 24 28 Thousands of hacked Chrome makes it easy Government and to pirate movies. corporate servers seslling for $6 on black market. European Cyber Security Perspectives 2017| 27

In July 2015, a similar, remotely executable exploit on New and previously unknown threats are becoming Android, , was disclosed. The Stagefright more frequent. Targeted attacks on individuals’ devices vulnerability allows an attacker to perform arbitrary will continue to increase, as business users primarily operations on the victim's device through remote-code use mobile devices not protected with a Mobile Threat execution and privilege escalation. The attack can be Defense solution. Identifying these attacks via the cause delivered via MMS to the victim’s device where it runs or signature is an outdated method and is difficult to automatically, since the Stagefright library can execute a maintain, since mobile operating systems are updated command without user interaction. several times a year.

Pegasus and Stagefright are very similar. Both are In order protect yourself and your corporate data, I remotely executable attacks and existed for years before recommend using a future-proof, on-device mobile they were identified. Pegasus was originally developed threat detection solution, rather than relying on a historic for iOS 7 and was identified 26 months later. Apple or signature-style method of detecting mobile threats. this vulnerability with the iOS 9.3.5 update, and if you are running iOS 9.3.5 or later on your device, it is no longer vulnerable. However, it is still vulnerable to the next Pegasus-like exploit or unknown vulnerability. The same scenario plays out with Stagefright, but on a larger scale. Google has updated the base Android OS, but the fragmented update process to get new versions to devices is tedious and slow. Approximately 800 million Android devices remain vulnerable and many will never receive security patches for the Stagefright bugs. With iOS and Android

Protecting your workforce from these known attacks platforms continuously is well-documented and attainable. However, it is not possible to defend against these types of vulnerabilities evolving, it is before the research and documentation is provided, unless you are using an on-device, behavior-based crucial to detect detection method. Using a behavioral detection engine attacks without is the only way to defend against the unknown attacks lurking in the wild today. having to update a

Zimperium’s research team has tested many other detection engine. previously unknown attacks against z9 and found the same success. Dirty COW, Gooligan, Drammer and Dress Code were all exploits detected by monitoring the effects of the attack versus trying to identify the attacks via the cause or signature. A behavior-based detection software looks for the effect of an attack and can warn a user or security administrator of any new threats. If an app or process elevates privileges on the device, it is detected. If a process changes a file in the OS or any of the other thousands of parameters available, it is detected and classified based on the effect. Once an attack is detected it can then be remediated and locked down. This “on device behavioral detection” is how you detect “unknown” or “zero-day” attacks.

Fantom ransomware found to pose as Windows update to encrypt files in peace.

July 7 8 Google starts testing starts testing ‘quantum-cryptoproof’ end-to-end encryption in proof crypto algorithm Facebook messenger. in Chrome browsers. 28 | European Cyber Security Perspectives 2017

My First Golang Project

Bouke van Laethem, KPN

aiki.go systems has usually been compromised using a Aiki is a Japanese martial arts principle or tactic in list of common or standardized usernames and which the defender blends (without clashing) with passwords, called a dictionary. I figured that the attacker[...] One applies Aiki by understanding the eventually this bot would try to log in to RDP using rhythm and intent of the attacker to find the optimal the same username and password which was used position and timing to apply a counter-technique. In to compromise itself. That seemed like a simple, Japanese Aiki is formed from two kanji: provable and specific enough hypothesis.

合 : *ai - joining* One small problem: RDP is a complicated protocol to mimic for research purposes. Luckily Secure Shell 氣 : *ki - spirit* (SSH), another protocol used to remotely manage devices and computers, is not. Just like countless system Down the rabbit hole administrators all over the world, I use SSH to remotely A while ago, a colleague noticed attempts by an manage my Internet facing servers. A quick look at the “Administrator” to log in to one of his computers. His number of failed login attempts for SSH on one of my computer had the Remote Desktop Protocol (RDP) servers was enough: Password guessing attacks against service open to the Internet. As the name suggests, SSH are happening on a very, very large scale. the RDP service allows computer owners to remotely use their desktop. The attacker was trying all kinds of Building the test case passwords to get into the machine. My colleague scanned “How do you know I am mad?” said Alice. “You must be,” the attacking computer. The only service open to the said the Cat, “or you wouldn’t have come here.” Internet was RDP.

Perhaps someone was consciously attacking others from his own computer, forgetting he/she had left RDP open. But more likely the system had been compromised through RDP, infected with malware and was now being used to attack others. The attacker was trying to log in through RDP and only had RDP open itself. Suddenly something dawned on me.

When a system mindlessly does whatever an attacker wants it to do, we call it a bot. A bot attacking other How do you know I am mad?

July 12 19 Ranscam malware acts as F-Secure finds that you can malware but only deletes files negotiate a lower price for your and stops booting. ransomware ransom. European Cyber Security Perspectives 2017| 29

I immediately started writing a program in Python that In the end the module turned out to require a few more pretended to be a SSH service. The idea was simple: nuts and bolts. You can find the aiki.go source on https:// • Pretend to be a SSH service. github.com/KPN-CISO. • Bots will try to log in with a username and password. • Automatically try to log in to the attacking system’s I deployed aiki.go on one system, quickly followed by five SSH service using the same username and password. others in different IP ranges around the world. And then, I waited. Would I catch anything? And if so, on how many different systems? Well... In pseudo-code: for connection in SSHD: Days aiki.go has been running: 183 try: Number of attacking systems: 8986 SSH.connecttoattacker(‘connection.remoteIP’, Number of successful "aiki": 742 ’connection.username’,’connection.password’) Top 10 of usernames and passwords used in successful print(‘It worked!: ‘, connection.remoteIP, connection. "aiki": username, connection.password) 220 admin:admin except: 132 root:admin print(‘The King said gravely: “Go on till you come to 53 pi:raspberry the end: then stop”’) 34 root:root 33 root:123456 29 ubnt:ubnt Sadly, my coding flow soon ground to a halt. I have this 23 root:welc0me way of running into Python threading and performance 22 root:000000 issues. Things were getting ugly fast. That is when I 21 root:openelec decided to start my first Golang project. Because as some 14 root:1234 of you may know, the Golang programming language is Top 10 of most successful days: right up there on the hipster scale with beards, soy lattes 33 2016/12/29 and fixies. This should be reason enough to choose it as 28 2016/03/06 a programming language, but it also performs great and 24 2016/12/25 has awesome threading functionality. So Golang it was! 18 2016/03/15 14 2016/12/30 In some pseudo-code, the program to fake a SSH service 14 2016/12/28 does this: 14 2016/03/09 14 2016/03/04 package main 14 2016/01/04 import ( 13 2016/12/27 //some libraries I need to make this work ) // create a private key used by the SSHd to encrypt It was really nice to have my hypothesis proven, but communications now I had some hard questions to answer. Was what I func buildkeys() (priv_pem []byte) { was doing legal? And even if it was okay in the eyes of } (international) law: how could I use all of this ethically? // set up non-bruteforcable account details func unguessable() (username string, password string) { Laws } “Now, I’ll manage better this time,” she said to herself, and // ssh client that can reuse captured usernames and passwords began by taking the little golden key, and unlocking the func aiki(ip string, username string, password string) { door that led into the garden. } func main() { // start fake SSHd server config := &ssh.ServerConfig{ }, // connect back to anyone connecting to the fake SSHd server go aiki(ip, username, password) }

Now, I’ll manage better this time...

August 2 15 million users’ phone numbers leaked in Telegram hack. 30 | European Cyber Security Perspectives 2017

In the Jabberwocky world of information technology it Ethics must be hard for lawmakers to decide what constitutes a The Queen turned crimson with fury, and, after glaring at crime. To make sense of intangible acts often the tangible her for a moment like a wild beast, screamed “Off with her world is taken as a guide. So, can we find a real-life head! Off--” example to explain what aiki.go does? And can we use it to decide if what we are doing is legal? I think we can do “Nonsense!” said Alice, very loudly and decidedly, and the both, but first I have to give a little background on how Queen was silent. SSH works.

When you use SSH (version 2), the acts of connecting, authenticating, and actually doing something on the remote system are strictly separated into transport, authentication and connection steps. A diagram might help to explain this.

Client Server step SSH Transport Protocol Privacy Integrity Server Authentication 1 Algorithm Negotiation

step SSH Authentication Protocol Off with her head!

SSH Channel Agent I am a hacker. I get a thrill from making things bend to my Agent Socket will. The buzz of getting my first positive results created 2 a torrent of ideas. I could name and shame everyone attacking me on Twitter! I could log in to the attacking SSH Connection Protocol systems and remove the infection, or even destroy the step remote system altogether! I could jump from system to Channel User Shell system uprooting botnets! Off with their heads! Terminal 3 So I started with the first thing that came to mind and added functionality to put IP address, username and Figure 1: SSHv2 protocol password of every successful “aiki” on Twitter. That would teach them! The aiki.go program works by taking the virtual key Except it would not. Because there is nobody to teach. I (username:password) the attacker used on us to try it on had a look at a couple of attackers using a . the attacking systems lock (SSH service). If the lock turns It quickly became clear these ruthless attackers were just (Step 2: Authentication), aiki.go does not even bother cluelessly configured devices. with the digital equivalent of using the handle or pushing against the door (Step 3: Connection). aiki.go simply My sample of successful “aiki” is a collection of victims, notes it found a working key and moves on. not villains. People are usually completely unaware their devices are attacking others. Clearly they also do I am not a lawyer but I think I am staying just on the not know that anyone trying a couple of passwords can (slightly bleeding) edge of what is legally allowed. I only access their security cameras, baby monitors, backup try to authenticate (not log in!) with the exact username devices, modems et cetera. If I started naming and and password the attacker just tried against me. But I shaming attackers on Twitter, I would just be giving am not completely sure, so I sincerely hope you will let access to these devices to all the Twitter trolls, violating me know if you think differently. I am very much looking the privacy of innocent bystanders. forward to some constructive feedback and expert As for the other ideas I had: logging in to devices to stop opinions. But even if what I am doing is lawful, that does or attack botnets, besides being illegal, also felt wrong. not necessarily make it right. Again, I would be further violating the privacy of the abused and that is not okay, ever.

Law enforcement agencies are likewise hampered in what they can do. They are usually allowed to request information about which person is behind a certain

August 7 Hacker finds 900 Million Android devices found vulnerability in vulnerable to Quadrooter attack. Electronic Safes via side-channel attack. European Cyber Security Perspectives 2017| 31

IP address. Theoretically they could get into contact and secure digital forensic data. But that would be a lot of work and none of it would be done with the goal of helping those who have infected devices.

Conclusion As far as aiki.go is concerned: in its current form it cannot do anything more without becoming unethical and unlawful. It has served to prove two things:

1. Most attackers out there are actually innocent victims with easily guessable passwords as their main weakness. 2. For anyone with some time and technical knowledge, it is possible take over large numbers of bots and botnets without actively attacking other systems. It would be illegal and unethical, but there are people out there who do not care about such “details”. Someone might already be doing this, without us ever knowing.

In the mean time, the best response the international community has come up with is a technological arms race. Governmental and private sector defenders are out there fighting against the herders. However, that fight focuses exclusively on trying to protect the (potential) victims of these botnets, not the victims in the botnets.

What I think we are lacking is the digital equivalent of the World Health Organisation (WHO) Global Outbreak Alert and Response Network (GOARN 1). Perhaps Computer Security Incident Response Teams (CSIRTs 2) could play a role in building a digital GOARN, with a focus and mandate to fight the disease by helping the victims.

In the Jabberwocky world of information technology it must be hard for lawmakers to decide what constitutes a crime.

(1) GOARN (www.who.int) (2) CSIRTs (www.cert.org)

August 8 WeVibe Couples Sextoy found Oracle's Micros Point-of- to be sharing sensitive data. Sale systems found to be compromised. 32 | European Cyber Security Perspectives 2017

IoT: next big thing or next big fear Security and trust in the connected world

Vito Rallo & Bram van Tiel, PWC

internet to our daily mobile life, imposed new needs and finally blended an ancient established human process called “communication”.

What is missing to meet the 70s vision of the future? Flying cars, jet packs, and droids! Bruce Schneier defines the IoT as a robot. We are giving machines human senses; the Internet of Things can hear, see and smell, can feel cold and hot. The robot got arms to actuate commands in the physical world, even drive our cars. We are giving the IoT a brain to think through sophisticated analytics, sentiment analysis and machine learning and, finally, we are giving devices nearly real time communication powers, inter-connecting them in a way humans are certainly not to one other. I was 12 years old, young, passionate and excited about my recent expensive achievement: a white, thick plastic Say “hi” to the 21st-century robots. brick covered with brown keys called the Commodore 64. The IoT revolution is not scary; it’s just exciting in Framed blue screens, a big white square cursor blinking essence, from wearable technology and toys IoT to the on my grandma’s TV and a world made of sprites and Industry 4.0, it offers endless opportunities. numbered lines of BASIC were storing dreams in only 64 Kilobytes of RAM. Security is still perceived as a barrier to the adoption of IoT solutions. Building a safer IoT means embedding Not even 30 years later we are confronted, once again, security from the ground-up. “Billions” and “trillions” in with the next big thing; powerful processors and better market forecasts will not save the IoT from failing, badly, operating systems capable of handling digital media if the Droid does not meet one basic human requirement contributed to the internet revolution. We brought the called “trust”.

August 10 Jeep Cherokee hacked - again. European Cyber Security Perspectives 2017| 33

Security of the IoT is about trust and keeping control of Security in the IoT will follow what I would coin “Cyber the robot. Look at the recent facts: we clearly lost control security Awareness Cycles”. The same happened to web facing one of those events whose possible occurrence applications and . At the advent of every cyber security experts, like prophets, had been discussing new disruptive innovation, we fall into a “total insecurity” for years: an army of infected cameras in a botnet phase. Risks and threats are completely “unknown”. controlled by hackers, maybe just one, maybe a teenager, Slowly, by learning and researching, we move into a more to exploit DNS (the internet’s domain name system) conscious phase. Risk acceptance and threat modelling vulnerabilities and bring down several sites and services. create security awareness but also generate fear. It is the process that pushes us to remediate, apply fixes and mitigate issues. Only by security awareness will we move into the “mitigated insecurity” phase, facing the uncertainty and learning how to deal with it.

New technology

Mitigated Insecurity UNCERTAINTY Insecurity UNKNOWN

Awareness Acceptance The heat map shows the areas most affected by the Denial of Service attack of Friday, Oct. 21st. FEAR A few days later, Mirai (the malware used in the attack) struck an entire country. The same malware was used Time is crucial while we’re navigating the awareness to attack the heating systems of two house blocks in cycles. We will certainly land in the IoT mitigated Finland, which is anything but a laugh when winter insecurity but how long will it take? Let’s make sure it will hits at -22 degrees Celsius. Hackers demonstrated be a short time, let’s do it now as it might take longer than how to hack medical devices, voting machines and we’re used to. critical infrastructures like power plants. What’s next? Ransomware for washing machines to steal your Tackling security for connected devices expensive clothes or an armada of toasters to attack For two years I have been speaking at events explaining critical infrastructures? I wish connected things could how important “data” is. Data is the commodity business stay far from influencing operational processes. for the IoT. Information must be kept safe ensuring integrity, confidentiality and authenticity and protecting More than any abused parallel between humans’ the intellectual property at all stages of the device lifecycle: immunity and IT, the droid can get sick, can be infected at run-time, at rest, at boot, in communication. We are by a virus, for instance exploiting wireless protocols like failing to bring the existing IT cyber security culture to the ZigBee. Recent research shows how to trigger a “chain IoT and are making the same mistakes again. This time is reaction,” spreading a worm infection by proximity to hard, more than ever before. We face a scattered complex adjacent IoT devices. Keep your neighbour’s drone environment, a truly heterogeneous mix of different away from connected light bulbs. The Droid could technologies, providers, and actors. Have a look at the IoT get infections like humans get the flu. The pandemic, value delivery chain to sense this complexity. comments the paper, could start with a single infected bulb being fitted in a city with a high density of How difficult is it to integrate security in this inherently vulnerable devices and trigger a catastrophic spread. unsafe design? The market has severely neglected security in favour of rapid development and cost Should we fear the IoT? efficiency. Out there, there are plenty of insecure The IoT is a compelling, unstoppable, big revolution that (low-cost) devices. I am still an ethical hacker. In the is already ongoing. I realize that many Security Experts past, the DarkWeb and Bitcoins were the ingredients to bring negativity and fear about IoT and this article does mount a real Denial of Service attack. Today, I could just not seem to be doing differently. On the contrary, in this go to the supermarket, buy a cheap camera, tear it apart, article I want to bring a positive message and insist on dump the firmware, search and exploit a vulnerability. how great the opportunities are and how amazing the By querying Shodan you can find thousands of similar technology behind it all is. devices - et voilà: yet another botnet!

August 10 Flip Feng Shui released. 34 | European Cyber Security Perspectives 2017

analysis”, “data tampering” and “identity theft” are some of the threats that could lead to corrupted data and/or broken privacy, and could wrongly influence decision- making processes in a failing trust design.

Get prepared; you will hear so much about it. In the upcoming years we will experience a tremendous growth and demand for solutions to establish machine trust. The answer is always an acronym: HSM, TPM, PKIs and TEE are just a few examples of great new or revamped solutions aiming to establish trust that are popping up in the IoT universe.

Security for the IoT is a concept that has spread across Trust is not entirely new to security folks. This time we’re the entire value delivery chain. Obviously, I do not have about to grant trust to machines that can interact with a magic wand solution. There are no industry-accepted the physical world; that’s the big deal! It’s no longer about guidelines yet. Many are working and struggling to M2M. Humans must extend the trust circle to machines; produce good material. Online Trust Alliance, Cloud that sounds scary, but again there’s nothing new as we Security Alliance, GSMA and the Industrial Internet do it every day when driving our cars or submitting Consortium are doing great but the level of complexity is bank transactions on-line. We trust our bank and the still too high. technology behind the home-banking service.

GSMA suggests looking at security by type of ecosystem. IoT must learn to influence our “psychological safety”, It works like a charm as constraints and security but it’s not doing great for the time being! Such concepts requirements are different for each domain. We should are well known to economists and management experts. consider: Psychological safety is what makes employees happy, creates trust in managers’ leadership and builds winning 1. Endpoint Ecosystem (devices, endpoints, sensors, etc), teams. End-users must trust the IoT solution; data, 2. Link Ecosystem (networking and communication), privacy, efficiency and availability, it’s all about trust. and 3. Service Ecosystem (back-end, APIs, data collectors Establishing trust and magic data processing services). We need guidelines and mandatory regulations governing IoT security. Probably something will come At PwC, we like the holistic approach and provide an soon from the US National Institute for Standards and ecosystem-aware framework based on: Technology (NIST) or a similar entity. The US may be the first country to impose rules and liabilities. People trust • Security by Design: it’s about guidelines, secure institutions as safety regulators. That’s one way to extend design, validation and proper SDLC. It’s also about the trust to the IoT but at the same time it forces companies architecture, data security and many other properties to follow a proper secure development life cycle and of the final solution; consider security testing. • Security by Assessment: we need to test and assess the security posture of our solutions, considering the threat Humans establish trust by head and by heart. Machines model before hitting the market. Ethical hacking and can probably mimic head, learn to establish trust by white-box hybrid assessments are the way to go; and means of technology, protocols and crypto. Establishing • Security by Trust: trust and security are tightly linked. trust is a must in accomplishing the next big revolution. Extending machine trust to humans is the way to I just can’t wait to understand more about this fascinating adoption of large-scale IoT solutions; relation between people and machine trust. How far I am now from the Commodore 64, after not even three dimensions built on top of technology, modeling 30 years… So far, yet not far enough. No, I’m not afraid and crypto. of the IoT; despite Spielberg’s vision, there is something that machines will never get. It’s called heart. Trust as key factor for IoT success Trust is the challenge and the key to the IoT success. Trust is more than security. It is a concept influenced by many properties in the IoT value system, tightly linked to security and inevitably related to privacy.

Identity, software integrity, and transaction integrity are all examples of trust issues. “Glitching”, “side-channel

August 10 Researchers find vulnerability in keyless entry system of 100 million cars. European Cyber Security Perspectives 2017 | 35

(Ir)responsible Disclosure A humorous look at dealing with Responsible Disclosures

Arnim Eijkhoudt & Wesley Post, KPN

Do you have a responsible disclosure policy and 'bug of vulnerabilities with automated scanning/crawling bounty' (reward) connected to it, or are you thinking tools, we tend to frequently receive multiple reports of of implementing one at your company? If you are: the same findings as well. be prepared to attract interesting kinds of security researchers! Although responsible disclosure is a noble A second tendency by researchers is exaggerating the risk concept, it can attract less noble reporters as well. of their findings in order to increase their chances for a As soon as it became widely known that KPN-CERT reward. We once received a responsible disclosure with rewarded valid responsible disclosures, security the rather ominous title ‘Remote Code Execution’ – pretty researchers from far and wide started approaching serious sounding for any seasoned CERT. However, when KPN-CERT with their vulnerability reports. reviewing and analysing the reported issue, it turned out to be a type of Cross-Site Scripting (XSS) which Only reporting vulnerabilities ‘for profit’ could only be performed within a user’s own browsing Unfortunately, for many of those researchers the session. This put the actual exploitability and risk of premise of a reward is their primary business model the vulnerability into a different category. Although the and motivation, rather than an overall concern about finding was insufficient to qualify for a reward, it was still increasing security on the Internet. Because of their a valid finding and it was fixed. different goals, the communication could sometimes be classified as ‘a bit different’. Here are some examples: The third method is the researcher attempting to “brute force” our responsible disclosure and bug The most common thing we see is the researcher being bounty policies. In this variant the researchers upfront about his or her motivation by immediately initially come up with a single, simple issue. asking for a reward as part of their initial report. That After being informed that the report is invalid or said, while the findings in their reports are generally less insufficient for a reward, they subsequently switch severe and insufficient to qualify for a reward, it obviously to the method of employing a ‘dragnet’ and sending does not mean they will not be fixed. Additionally, while us as many different findings from their scanning a reporter’s perceived risk of some vulnerabilities can be tools as they can, in the hope of finding a legitimate high, they sometimes turn out to be harmless or a false vulnerability which might be eligible for a reward. positive. Due to the relative ease of finding certain types

August 15 The Shadowbrokers group publicized multiple NSA vulnerabilities' moet worden 'The Shadowbrokers group announces an auction of an arsenal of NSA software, predominantly tools to covertly infect computers. 36 | European Cyber Security Perspectives 2017

It can get worse: quantity over quality The upside And then there are the really bad disclosures… One of Fortunately, we also get top-quality responsible our most notorious reports had a security ‘researcher’ disclosures at KPN. A beautiful example was a new, mail us to disclose more than 10 vulnerabilities. worried customer that sent us a hand-written letter addressed to KPN’s board of directors. The letter was Now, normally this would be a great report to receive, internally rerouted to KPN-CERT. if it wasn’t for the fact that he sent over 17 e-mails, with each e-mail containing carbon copy & pastes from an The customer described her arduous journey of growing automated scanning tool, useless debugging output and from a new computer user to figuring out what the annotations in poor English. mixed-content (HTTP / HTTPS) error in her browser While we are in favour of employing automated meant on KPN’s webmail portal. After realizing the vulnerability scanning tools, what made these reports security implications and learning more about security particularly egregious was the clear lack of understanding ethics, she then decided to report it. Her letter not only on the reporter’s part of the tools’ output, the impact mentioned the actual finding, but also extensively of the reported results and a complete lack of any proof described how to reproduce the issue on a step-by- of concept. step basis. This, of course, constitutes an example of a great responsible disclosure: it made it easy for us to On top of that, all except one of the findings were either check the validity of the finding. Consequently, it took duplicates or false positives. A usual pattern of incessant less than 2 weeks to fully remediate the finding: from e-mails by the sender requesting ‘updates’ and further receiving the report to the internal routing/steering, reporting of false positives subsequently emerged. communication with the external supplier, testing and After asking the sender to exercise more patience and finally implementing the solution into production. informing the sender of the results of our vulnerability analyses, the e-mails then turned angry, practically As this was such an unusual report, both in the way it was accusing KPN-CERT of lying (quote: “surely these communicated to us (via a hand-written letter) and due findings can’t all have been reported before!”). to the potential impact on our webmail environment, we also went the ‘extra mile’ ourselves, by sending a hand- written letter in return.

Conclusion So, is “Responsible Disclosure” working for KPN? The answer is a resounding and definite “yes”. We have received valuable reports we might not have gotten otherwise. However, it is important to be aware of the potential for side effects and have effective mechanisms, guidelines, policies and rules in place for dealing with the various types and qualities of reports you might (and probably will) receive.

And in case you were wondering: all examples and specific images in this article really did come from the Figure 1: “A typical ‘quantity-over-quality’-style researcher’s e-mail” (anonymized) actual real-world reports we’ve received over time. In all of these three variants, the initial goal of improving the security on the internet has long been forgotten; it has solely turned into the acquisition of ‘swag’ or ‘credit’ with the minimal amount of investment of time and effort possible. In fact, they sometimes even get aggressive when this reward is denied! Oh, and the three examples we’ve described above…? They all came from a single individual, trying all of the approaches!

You can find our Responsible Disclosure terms and submission form on https://www.kpn.com/algemeen/ missie-en-privacy-statement/security-vulnerability.htm.

August 25 Whatsapp starts sharing phonenumbers and analytics with Facebook. European Cyber Security Perspectives 2017| 37

Cyber Value at Risk business value from

cyber risk measurement Maarten van Wieren & Vivian Jacobs, Deloitte

Managing cyber risk has clearly become a serious challenge, needing attention at all levels of the Cyber Value at Risk approach organisation. This requires communication in business terms to many (senior) stakeholders, dealing with The Cyber Value at Risk or Cyber VaR approach change programs linked to large yet uncertain budgets identifies a monetary amount that a given and keeping up with the latest in cyber security while company may lose in a year through a “worst- new developments require constant adjustments of the case” cyber incident. It serves as a cyber risk attention. On top of that, commonly used methods like management tool that identifies the strengths red, amber, green reporting do not provide a solid base and weaknesses of the cyber defence capabilities for decision making (1; 2). linked to business value taking cyber threat levels into account. The key strength of the approach Based on our work with the World Economic Forum and is that the uncertainty (that unavoidably is its partners, a Cyber Value at Risk (VaR) approach was associated with measuring each of the elements) developed to measure cyber risks in a single metric that is accumulated into the overall risk. In this way translates into business value (3). In our experience, the added value of more accurate measurements measurement of Cyber VaR makes a big difference in (shining a light) can also be determined. cyber risk management. Discussions become focused, projects get budget based on a business case, awareness of all stakeholders grows and most important of all, it becomes clear what steps to take next. The quick scan – a quantitative cyber risk The easiest way to see the potential impact of Cyber assessment and strategic vantage point VaR, is to think of protecting a building in the dark with A good starting point towards getting cyber risk employees, suppliers, customers and others constantly measured is performing a quick scan. This initial analysis entering and exiting. You would have a hard time to is about asking the right questions, identifying available start planning how to avoid pickpockets entering and information, setting initial assumptions where required, stealing wallets, or worse, cracking the vault. By turning thus forming a comprehensive picture of the risk. For on the proverbial lights, a large part of the problem this, we employ a simple conceptual model containing goes away because the situation becomes clear and as a four elements: an organization owns (1) “Information consequence, it becomes evident what to do. Of course Assets” that need to be protected through (2) “Cyber the key question is: how do I turn on the lights? Security Controls” from abuse by (3) “Cyber Threats”. In case an Information Assets gets abused, a certain (4) “Business Value Impact” materializes (see figure 1).

August 25 Level-3 finds millions of IOT devices being compromised and added to botnets. 38 | European Cyber Security Perspectives 2017

Figure 1: The four elements of the conceptual Cyber VaR model are the Information Assets an organisation owns, the Cyber Security Controls it has deployed, the Cyber Threats it faces and the Business Value Impact it incurs.

Step 1: Identifying key stakeholders stakeholder relate to. For example: involving legal means The first step in the quick scan is to identify the thinking through where cyber incidents may trigger stakeholders associated to each of the four elements in litigation or fines. A valuable by-product of engaging the model. This is done by segmenting each of the four stakeholders is that their cyber risk awareness will elements into more granular components until the high- likely improve. Given the importance of the human level processes relevant for your business become clear. factor in cyber risk management, this will help protect This identifies associated stakeholders. Through this your organisation. segmentation, it also becomes clear what information is desired for each of the four model elements. Uncertainty as risk What’s key to understand here is that measuring cyber risk is in fact measuring uncertainty. Some of this uncertainty is fundamentally unavoidable (e.g. it’s Example: Identifying key unlikely you would be able to measure, let alone predict stakeholders threat actor activity very accurately), while in other A simple example of stakeholder identification cases further measurement can at least partially remove might look as follows: for the Cyber Security uncertainty (e.g. through red-teaming exercises). This Controls and Cyber Threats we expect the CISO also means that you’re adding value by performing a and perhaps a cyber threat intelligence officer. quick scan because this is expected to reduce uncertainty A slightly more challenging example is the thus risk. Information Asset “Integrity”, which may be segmented into “Integrity of Payments” and Strategic vantage point “Other Information Integrity”, initially identifying As a result of the quick scan, you get a first snapshot Treasury and IT as key stakeholders. of the cyber risk for the organization, a cyber-strategic vantage point so to speak. Where are the largest risks to be expected? Which capability improvements would have Step 2: Collecting information and identifying the biggest impact? What information is unexpectedly information gaps and critically missing? That is, you’re turning on the The second step in the quick scan is to identify for each first set of lights for the entire building, rather than for model element which parts of the desired information instance only in the security control room, as is often the is actually available. This often means that foremost case with most cyber dashboards we encounter. the information gaps become clear. At least initially, it is unavoidable to use assumptions to close these gaps. Managing cyber risk from These may initially be set on the basis of insights from a business perspective multiple sources, including personal expertise, the many After the initial quick scan, the next step is to make available cyber risk reports etc. For such assumptions, further use of the newly gained insights. Strategically the uncertainty should typically be large, thus negatively important activity with a large cyber risk component impacting the overall risk. forms the best place to start with applying the quick scan results. This could be in support of budget approval for Step 3: Engaging stakeholders and a cyber risk transformation program or an M&A deal, or validating assumptions impact assessments of new product launches. For a list of After identification of stakeholders, information gaps possible use cases see figure 2. and setting initial assumptions, follows engagement with the stakeholders to validate the assumptions. The order The Cyber VaR approach also adds value in regular in this is important, to avoid miscommunication it’s risk management of the cyber security organisation. critical to come well-prepared, meaning that you need The principle is to continuously monitor the risk and to translate the cyber risk concepts to concepts your performance levels of the organisation against the risk

August 31 68 Million dropbox accounts found to be compromised in 2012 leak. European Cyber Security Perspectives 2017| 39

Figure 2: Some of the many use cases of Cyber VaR categorized by four key organization objectives.

limits and performance norms on a cyber risk dashboard, Making impact with measurements so that management can intervene where needed. In our experience, Cyber VaR has the potential to Structuring the cyber risk dashboard in line with the profoundly change cyber risk management in your Cyber VaR approach allows for continuous monitoring organisation. It provides the tools to step away from a and readjustment based on actual developments in reactive way of dealing with cyber threats and incidents cyber risk. In this way, cyber risk management can be primarily based on expert intuition and focused on optimised for efficiency and effectiveness. technological solutions and move towards a rational framework that incorporates the many relevant From the perspective of the supervisory board, the perspectives, enabling proactive and business oriented situation also dramatically improves. Instead of a cyber risk management. qualitative report on cyber risk, potentially filled with Although details of suitable next steps will vary technical jargon and relying on multiple layers of by organisation given the wide range of possible interpretation, the Cyber VaR approach enables reporting applications, we are convinced that the “quick scan” on a clear metric with an unbiased root cause analysis to approach presented in this article provides a universal identify key challenges and obtain a strategic perspective starting point that works for any organization. It has the on business implications. capacity to deliver a top-down, holistic perspective that captures the most relevant components of cyber risk by leveraging the perspective of all stakeholders. Most Example: insight in return on important of all, it shines a first light on the current state investment of security program of your entire organisation and identifies how to make maximal business impact. To see in more detail how Cyber Value at Risk may support strategic prioritisation and decision- References making, we provide an example of an organisation 1. What’s Wrong with Risk Matrices. Jr., L. A. Cox. 2008, plans a large cyber security transformation Risk Analysis, pp. 497-512. consisting of multiple security projects. By 2. Jr., L. A. Cox. Improving Risk Analysis. Denver : increasing security and reducing potential future Springer, 2012. losses, this cyber transformation will create 3. World Economic Forum. Partnering for Cyber business value. Initially, it may however not be Resilience - Towards Quantification of Cyber Threats. immediately obvious how much each project will Davos : s.n., 2015. really contribute and thus which projects should receive priority. By including the investment required for each project, the Cyber VaR approach can be used determine a business case that assists in decision making. Furthermore, any changes to projects or threat landscape that will unavoidably occur can be quickly processed in the overview to enable program management to continuously steer the program towards optimal impact.

September 9 First Federal CISO named by Whitehouse. 40 | European Cyber Security Perspectives 2017

Dealing with Global Distributed Denial of Service

Oded Gonda, Check Point Software Technologies

In October 2016 cyber security public awareness reached yet a new level, as the world learned that an Securing the Grid army of bots hosted on Internet connected cameras was The most widespread grids in the world, alongside able to indirectly cause outage to well-known Internet the Internet, are the electrical grid and the telephone services such as Twitter, Amazon, Spotify and . grid. Both are designed for high resilience and require The unprecedented Global Distributed Denial of Service every devices connected to them to be certified and attack on , a large DNS infrastructure company to meet various standards that ensure that it will not serving these well-known services, may not have shocked pollute the grid. Manufacturers are not allowed to sell professionals, but it gave yet another electrical appliances or telephony equipment without the demonstration of the fragility of the Internet grid. appropriate certification, and authorities of every country Fortunately, it was not as damaging as it could have been. of the world enforce these certifications.

The Internet is a platform of innovation and inspiration. Some people suggest that a possible conclusion could We can all invent, develop and publish our work without be to require certification of any equipment that is formal qualification or certification. Products and services connected to the Internet – ensuring that it will conform are released, improved and updated constantly, often to basic security and other standards. This may end up without physical contact between the manufacturer, being necessary and may develop over time, but would reseller and consumer. This is very unusual in the also be a very complicated process. It will take a very engineering world and so far has worked fantastically well. long time to agree on the standards and then implement them. But mostly it is likely to slow down the pace of Security professionals realize that this unprecedented innovation that we enjoy today. freedom to innovate comes with a risk. Many Internet connected products are not designed with security in A more practical solution would be for the grid to protect mind and some of them contain very basic flaws that itself. It would require trust and entails some risks and allow attacks such as the one on DYN. In the attack on yet it can be potentially done by co-operation of relatively DYN, Internet-connected cameras were easily accessed small number of players, in a responsible and democratic by hackers using hardcoded or default user credentials. way. Let’s look at how this could be achieved. Public awareness of these security oversights is rising, as cyber attacks targeting well-known services are Internet traffic control becoming common. The biggest challenge when dealing with Denial of Service attacks is how to separate malicious traffic from legitimate As our lives are becoming so dependent on the Internet, traffic coming from the same origin, even from the same it is time we thought about ways to protect the grid IP address. Security vendors offer anomaly detection- without hindering continuous innovation. based security solutions that solve this problem, often

September 13 Hackers leak records from world anti-doping agency. European Cyber Security Perspectives 2017| 41

02 If the Upstream Tier-2 up-stream provider is saturated with DDoS attack traffic, alone is not able to block, they issue a “Global Block they should be able to approach their upstream Tier-2 01 Request” (GBR)* Upstream Tier-2 provider 03 provider (directly or through their local ISP), provide determines whether they are GBR is reviewed and signed by able to block the attack using at least three Tier-1 providers details about the attack and ask for help. their resources or five Tier-2 providers. They should validate that no significant Upon an attack report from a downstream Internet legitimate traffic or traffic unrelated to the attack is blocked. service or ISP, a Tier-2 up-stream provider could work 05 with the victim to identify an attack pattern. This may not If the attack persists, the GBR can always be easy, but security professionals can achieve be renewed but now should to be reviewed and signed by at least 04 this. Then, a scalable process with checks and balances four Tier-1 providers or seven Tier-2 Once approved, all Tier-1 and providers. In this case the GBR can Tier-2 providers should honor could be implemented on these lines: be renewed again and again at six- the GBR for two hours. After the hour intervals. two-hours period, the GBR can be renewed one more time. • Upstream Tier-2 provider determines whether they are

GBR*. GBR is a set of traffic flow identifiers (IP and Port ranges/wildcards) and/or regular expressions that able to block the attack using their resources. identify the attack pattern. • If the Tier-2 alone is not able to block, they issue a “Global Block Request” (GBR) - a set of traffic flow very effectively. This is especially true when the attack is identifiers (IP and Ports ranges/wildcards) and/or targeting the computing resources of the victim rather regular expressions that identify the attack pattern. than just trying to fill their Internet link with traffic in The GBR includes a ratio that indicates the desired order to slow down or prevent legitimate traffic. blocking level – 1:1 for blocking all flows or 1:n for just easing the attack. And yet, if a link connecting a DDoS victim network to • GBR is reviewed and signed by at least three Tier-1 their Internet Service Provider (ISP) and moreover a link providers or five Tier-2 providers. They should validate between the victim’s ISP to an up-stream ISP is saturated that no significant legitimate traffic or traffic unrelated with attack traffic, then it may be too late. The anomaly to the attack is blocked. detection-based solution residing at the victim’s end of the • Once approved, all Tier-1 and Tier-2 providers should link or even at the ISP may not be effective, as the link is honor the GBR for two hours. After the two-hours already saturated. This happens in a Global DDoS attack. period, the GBR can be renewed one more time. • If the attack persists, the GBR can be renewed but now When Internet services or ISPs are not able to protect should be reviewed and signed by at least four Tier-1 themselves using their own resources, they should be able providers or seven Tier-2 providers. In this case the GBR to call for help to the companies that comprise the Internet can be renewed again and again at six-hour intervals. backbone - the Tier-1 and Tier-2 Internet service providers. GBRs can be enforced using a network/security device Blocking attacks at source either at the Tier-1/Tier-2 providers upstream or The Internet is a mesh of networks owned by numerous downstream (or at the IXPs). The provider would also companies at different tiers. Six large providers are inform the ISPs downstream that a specific IP address is known today to be Tier-1 (Level 3 Communications, Telia generating an attack so the IP owner could be informed. Carrier, NTT, Cogent, GTT, and Tata Communications) as Check Point Software Technologies and some other due to their capacity and wide geographical reach they vendors can provide today the technology required for do not have to purchase transit agreements with other handling GBRs. providers. Connected to them are about thirty Tier-2 providers. Within each country there are numerous other Many attacks, such as the one on DYN, could be providers that are connected to these Tier-2 providers. effectively mitigated using the above process. In case of Internet Service Providers (and sometime large Content attacks within encrypted channels (e.g. SSL), it will not be Delivery Networks) interconnect to each other using possible to isolate precise attack patterns using regular Internet Exchange Points (IXP). The aggregated capacity expressions within the encrypted traffic, but traffic from of these providers is the maximum capacity of the attacking IPs could be blocked or reduced using TCP/ Internet: no DDoS attack can exceed it. UDP traffic indicators that identify the communication pattern even without looking at encrypted traffic. As such, less than fifty Tier-1 and Tier-2 providers together have the technical capacity to stop most Global All too often, major policy changes only occur when DDoS attacks (and in many cases country-level attacks) a catastrophe has taken place; only then there is at the source. To do this, accurate attack patterns need to enough public demand, urgency and will to make identified and agreed upon, but most importantly there is concessions and drive real change. Solving Global a need to define how this can be done in an effective and Distributed Denial of Service of attacks can be achieved legitimate way, while maintaining data privacy. before such a catastrophe strikes. As described here, mitigating Global DDoS attacks is achievable through Internet services should have internal means or cloud practical collaboration of just a few global parties. More scrubbing service to deal with DDoS. However, if their importantly, it can be an exercise in solving a simple protection is not effective because the connection to the problem by working together, rather than standing alone.

September 14 Kaspersky finds trojan disguised as Pokemon Go in Google Play store. 42 | European Cyber Security Perspectives 2017

From 01010100 01100101 01100011 01101000 T0 Talk

Mandy Mak, KPN

For some non-technical people an explanation of a legit and does this by using logos of known companies. computer security incident will sound like the title of In the e-mail the user is being tempted to click on a link this article read out loud. In this day and age almost which leads him or her to a webpage (Image 1). This everybody has daily interaction with connected webpage could ask for credentials, which could be done machines, and connected machines are by definition in several ways. The attacker could have created an entire susceptible to digital break-ins. site with login or information fields. This article provides insights in technical security incidents by the main user of affected services, by describing some examples.

Digital crime hits the news more and more. DDoS attacks, phishing e-mails and ransomware are regular news items. But how does it work and what are the kind of computer security incidents we run into and resolve together with the colleagues ‘behind the scenes’ on a daily basis?

No matter what your job description is or what you like to do in your spare time, when you have e-mail, use online-banking or an ATM, surf to news pages, own a smartphone or use the internet in any other way you are a possible victim of cybercrime.

One of these standard and relatively easy attacks are phishing e-mails as they do not require someone to hack into the network. There are different ways of abuse Figure 1: Phishing mails seem legitimate but point towards url’s which possible when using this form of attack. are untrusted, like in this example where the button tricks users to go to the compromised website. A phishing e-mail is an e-mail which is send by someone who tries to ‘phish’ for information. In the most common phishing e-mails the sender tries to make the e-mail look

September 13 hacking group GCHQ releases plans to releases new batch of setup a national . DNC documents. European Cyber Security Perspectives 2017| 43

The attacker could also use clickjacking. This is only possible when the website the attacker uses is vulnerable to clickjacking, where the original website is loaded into a frame in the attackers website. The frame could be as big as the browsers screen so the user would not notice the difference. The attacker would have to use another web address (URL) in the address bar than the original URL but can use an URL which looks a lot like the original. By using the frame to load the webpage, the attacker can capture any user interaction with the original website through the frame.

Image 3 Phishers try to steal personal data for financial gain.

You will also hear about data breaches and your data being published on the internet, this usually means you have to change your passwords.

Once a hacker gets access to a database with user records behind a web portal the hacker has access to the content of the databases and can read (and sometimes manipulate) the content. When the storage of passwords Figure 2: Websites can be checked by Virustotal (virustotal.com)which is done poorly the hacker could use these records in uses a variety of different virus scanners. other attacks, because he could retrieve the plaintext passwords. Therefore the storage of passwords needs More sophisticated phishers put more effort into it. to be done securely. First off, you never want anyone to They might send you an e-mail claiming to be from one be able to read entries in databases that are not meant company and after that send you one claiming to be from for their level of authorization. But even if this happens another. due to misconfiguration or an abused vulnerability, you would still want the data to be safe. This can be done by An example of phishing is an e-mail from the telephone using hashing. Hashing is basically putting your readable company stating that the banking records of the text in a difficult mathematical equation and the output customers were compromised and that the bank would is not understandable. This data is saved in the database get in touch about this issue. Then they send another and cannot be reversed to readable text. Using strong and e-mail stating to be from a bank with the same story, an secure hashes it would take a super computer more years attachment asking to disclose some information and to than a human life to break the hash for that password. send your ATM card to them for security checks. This makes it strong enough for today’s use.

Besides the often mentioned security loopholes, like You might wonder what you can do about these issues. phishing which is often in the news, there are more hacks The main thing you can do as a user is use different relevant for users which are not as commonly known as passwords for each account you have and be aware. If the previous described issues. something seems off be extra cautious and check for example the web address you’re browsing and search the One tab in the browser could affect the other. This could address on the internet instead of following a link. be a reason for one to choose to do sensitive tasks in a All of these issues can mostly be prevented by a secure separate browser. An example of such an attack is called server and environment. Which is why we support and Cross Site Request Forgery (CSRF), where the attacker enforce policies around secure coding and have every leads the victim to a webpage were certain settings are set new product pentested to prevent such flaws from by the attacker. The attacker has to make sure the victim existing. During a pentest (which is short for penetration is logged into the target site simultaneously. Then the test) employed hackers will try to break in the product attacker uses his own site to create a request on the page using different techniques. Every security flaw they find where the victim is legitimately logged in. By doing so the must be resolved to make the product more secure before server of the legit website will think the request is made providing it to customers. All network connected portals by the logged in user. and products are tested by our hackers and everything they find has to be resolved before the product or portal can be connected for the user.

September 19 Multiple security vulnerabilities in Tesla Model S - allow remote attacks on driving cars. 44 | European Cyber Security Perspectives 2017

Cyber security today and tomorrow Bruno Huttner & Kelly Richdale, ID Quantique

The need for Quantum-Safe security now long-term confidentiality of our cybersecurity systems, Over the last few years, the perceived threat of the the time for action is right now. Finding new solutions quantum computer to the modern cryptographic that protect against quantum attacks should be a hot standards in widespread use has increased dramatically. topic for everyone in the cybersecurity industry. Governments and top companies world-wide are now investing in the development of a quantum computer Current status of cyber security: an analogy using various technologies. This quantum computer Most of our cyber security infrastructure relies on a few will destroy all public-key cryptosystems, now at the cryptographic primitives, such as AES, RSA and ECC core of our cyber security ecosystem. Although the for example. We can use the analogy of cybersecurity arrival date for a practical quantum computer is still as a car (see Figure 1). The cryptographic primitives under debate, experts currently believe that we will see are the engine. All the other elements (transmission, a cryptographically relevant quantum computer within brakes…) are needed to make the car run, and provide 10-15 years. All our cyber security infrastructure has to the required service: bring people from A to B in a safe, be revamped and brought to a quantum-safe status. reliable and comfortable way. Some of these elements are This means that , we will have to open our cryptographic compulsory, some other optional, to bring more comfort toolbox and adapt our security infrastructure to new and ease. So far, we could consider that our engine was tools, yet to be defined. The transition to quantum-safe safe, and try to improve all the other elements, which security has to begin now. were responsible for all the mishaps with our systems (mainly linked to implementation weaknesses). This is An important fact, which all security professionals not the case anymore with the quantum computer, which have to realize, is that, although 10-15 years seems like will compel us to replace the engine itself. And we may a long-term threat, this is not truly the case. First, the now need different types of engines, to fit the different transition to quantum-safe security means significantly needs. Leaving the road and going back to cybersecurity, changing our security ecosystems, which cannot be done we now understand that we have to replace our current overnight. The consensus is that at least 5 years may primitives by new quantum-safe ones. be required to adapt those systems to use new security algorithms and protocols. Second, most encrypted data Figure 1: Cyber security as a car The aim of cyber security is to has a long lifetime, often requiring secrecy for anywhere provide a functioning secure from a few years to ten years and above. With current service, in this analogy a progress in data storage technology, an almost unlimited functioning car. The cryptographic primitives are the engine. The amount of data can be downloaded now and stored for remaining parts ensure a reliable, future decryption. This is known as the ‘download now, safe, comfortable ride. The decrypt later’ or ‘harvesting’ type of attack. A quantum Quantum Computer compels us to replace the engine- the crypto computer will be able to decrypt all the confidential primitive itself. information, which was previously encrypted using unsafe methods. Therefore, to prevent disruption in the

September 20 Website of Brian Krebs hit with 620Gbps DDoS. European Cyber Security Perspectives 2017| 45

The new tools has no influence on the security. QKD is already a realistic Broadly speaking, we have two classes of tools at our solution for long-term encryption over short distances. disposal. The first class, commonly referred to as Quantum This distance limitation will be removed in the future, and Resistant Algorithms (QRAs) or Post Quantum Algorithms increase the domain of application of this technology. (PQAs), aim to provide a drop-in replacement to existing ones, while keeping the same infrastructure as much Figure 2: A world-wide QKD as possible, and offering quantum-safe security. These network based on satellites algorithms can provide most of the cryptographic functions The yellow dots represent needed, such as signatures, authentication and encryption. the nodes. The ground nodes distribute the keys via an However, they suffer from several difficulties. One is that, so optical fiber network, over far, the quantum-safe status of some of them is not clearly short to medium distances. Free-space distribution with understood. We know that they do not succumb to the satellites or high altitude known quantum algorithms, which have been developed platforms provides to break RSA and ECC for example. But what about word-wide service. new specific algorithms? Claims that these algorithms are quantum-safe forever are currently overblown. Another difficulty is that some of these algorithms are One size does not fit all: a call for crypto agility more complicated to implement, requiring for example With the probable arrival of the quantum computer, we longer keys, and more computing power. Therefore, the now realize that there is no universal primitive, which requirement of a simple drop-in replacement is probably would provide perfect security for all applications. A not realistic. Different types of algorithms may be used for future quantum-safe infrastructure requires different different types of applications. One could think for example types of tools, adapted to the security target. Let us of specific ones for IoT devices, which only have restricted provide a few examples: memory and computing power. Others could be used for general applications, for transactions over the internet for • If you are a software company, providing apps example. However, doubts do remain about long-term over the Internet, the first and foremost concerns encryption, where information has to remain secret for tens are how to guarantee the authentication and of year. This is where the second class of tools might integrity of your solutions. Your customers be used. have to be sure that they are downloading and installing the right application on their device. The second class of tools is based on the physical layer, You should plan the transition to new quantum- and is known as Quantum Key Distribution (QKD). safe signatures, which are already well studied. QKD is based on the transmission of physical particles, • If you are a private person, worried about Big Brother typically photons, over a quantum channel. It provides a spying on your internet transactions, a so-called way to exchange a secret key between two users. The basic hybrid solution, relying on a mixture of standard idea is that any attempt at eavesdropping on the channel, solution and QRAs, would offer you better security which represents a measurement of the particles, at an acceptable extra level of constraints. modifies their states. This change will be discovered by • If you are a hospital, transmitting patient medical the legitimate users, who can then discard the exchange. records to a distant location, or a government Secrecy is not based on any mathematical assumption or office, dealing with highly confidential result, but has been theoretically proven from the tenets information, long term privacy is a major of quantum mechanics. This key can later be used for constraint. Here, adding a QKD component to any cryptographic purpose. QKD requires transmission your infrastructure should be envisaged. of physical particles. Due to unavoidable loss in the • If you operate a large data centre, which requires daily channel, this brings up a limitation in the length of a backups of Terabytes of data from different companies QKD link. Commercial implementations of QKD utilize between two locations, QKD is also a great alternative. the widely available optical fibre infrastructure used in In order to keep the necessary certifications you need telecommunication. The typical length of a QKD channel for your customers, QKD should be implemented as is tens of kilometres, with a maximum about one hundred an extra layer, complementing and enhancing your km. Free space implementations, which may lower the existing infrastructure. cost of a solution and/or increase the maximum length, are at the research stage. The length of a QKD network The conclusion is that cryptographic tools have to be can also be increased by means of a trusted node adapted to the type of data under consideration and the infrastructure, where several QKD links are connected risk profile. The new tools, which have yet to be developed through safe locations, such as telecom exchanges. For to answer the threat of the quantum computer, have to example, a 2’000 km-long QKD backbone, linking Beijing be tailored for the applications. It is also likely that the to Shanghai is under construction. A world-wide QKD solutions of today will have to be revised in the future, network can be envisaged with improved technology, as once the threats are better identified. Cryptographic shown in Figure 2. As QKD is not based on computations, agility, where you can replace a given primitive by a more it is intrinsically quantum safe: the quantum computer suitable one, will be a new requirement.

September 21 Website of Brian Krebs hit 840.000 Cisco devices found vulnerable with 620Gbps DDoS. from the exploit BENIGNCERTAIN (an exploit from The , leaked by The Shadowbrokers). 46 | European Cyber Security Perspectives 2017

Combining tactics The geek’s lab to a better Internet Rob Vercouteren, Stefan Zijlmans & Anne-Sophie Teunissen, KPN

Distributed Denial of Service (DDoS) attacks are Besides this, Netflow can help with capacity management, increasing every day, in both size (volumetric attacks) troubleshooting, accounting, and security, but keep in and complexity (multi-vector). The largest attack in The mind that it cannot be used as a deep packet inspection Netherlands until now amounted to roughly 300Gb (DPI) function, since there is only IP address- and port per second. Nowadays we regularly see attacks on our information in the Netflow data and because our netflow own network upwards of 250Gb per second. Due to the setup has a sample rate of 1 in 1000 packets for example. rapid evolution of attacks, anti-DDoS on its own is not always an effective solution. IT-Security professionals Netflow is a feature and protocol that provides the ability (CERTs / CSIRTs / SOCs) need to have an arsenal of tools to collect IP traffic as it enters or exits an interface. It at their disposal to counteract different types of DDoS collects metadata from IP traffic and can be used to attacks. They want to connect the dots, correlate all traffic determine the source and the destination of traffic, as analysis information into one single security platform, well as class of service and cause of congestion. In this which can then be used to do a multitude of things. article we are focusing on Netflow version 5, the more Good old Netflow, which has been around since the early easy and automatic version of the protocol. Higher 2000’s, can help with that. versions like version 9 and IPFIX (which is based on version 9) are non automatic and need quite some Netflow, what is it? configuration, based on templates which have to be Netflow was invented by Cisco and introduced on their pushed to the Netflow capable devices. routers. It has three main advantages. These are the A standard v5 network flow is a unidirectional sequence near real time research capacity of Netflow, the fact that of packets. To use Netflow you need to have control over Netflow is relatively easily obtainable, because it is a your own routers and these need to be able to export widely supported standard and Netflow can be used as Netflow. For collecting and analysing data you will need an addition to existing services.' wijzigen in a powerful server with storage capacity depending on the These are: amount of traffic transported through the network and the type of devices which will be exporting Netflow. • The near real time research capacity of Netflow Netflow is generally used with sampled packets, • The fact that Netflow is relatively easily obtainable, because sampled Netflow is not CPU intensive for because it is a widely supported standard routers and switches exporting the data. This makes the • Netflow can be used as an addition to existing services implementation less storage and compute intensive.

September 22 500 Million Yahoo accounts breached. European Cyber Security Perspectives 2017| 47

Netflow is a feature and protocol that provides the ability to collect IP traffic as it enters or exits an interface.

Unfortunately Netflow analysis does have its limitations. Now we’ve explained what Netflow does, we will explain An example of this is when the IP addresses of a DDoS how it can contribute in traffic analysis. or other malicious activity are spoofed. Spoofed traffic is especially being used for volumetric DDoS attacks. How might Netflow help? Most of these UDP based, volumetric attacks are of A nightmare for an ISP would be that its customer the amplification type: a small request is done, but devices are contaminated and become part of networks the answer is huge. With spoofed traffic it is difficult of infected devices. So called botnets can be used to to distinguish where traffic of requests came from. massively attack victims. If IT-security professionals can Essentially you will have to ask your upstream provider if make use of Netflow data and correlate their findings they they can see where the traffic came from. are able to determine which customers are affected and Luckily there are forms of countermeasures against help them solve contaminations and malicious activity. spoofed attacks. One of the ultimate goals would be that every ISP, upstream provider and / or peer will have anti- From a security perspective professionals can use spoofing countermeasures in place. BCP38/84 is such Netflow to detect anomalies. IP address, ports and a countermeasure. With BCP38/84 it is possible to filter transport protocol information allows them to see outgoing IP traffic from within the own Autonomous what the origin and the destination of the traffic is. This System (AS). So, when traffic originates from an IP way Netflow helps analysing DDoS attacks or other address which doesn’t belong to the AS, traffic should malicious data traffic. When it becomes clear where the be discarded. As an example, with these kinds of data came from, IT-security professionals can inform anti-spoofing countermeasures in place, the currently abuse departments or in very urgent situations close the popular UDP based DDoS attacks from Internet of Things connection with the source to make sure malicious data (IoT) devices will be less of a problem. traffic stops flooding the ISP’s network. Future perspective Another advantage of Netflow analysis is that it amplifies We have described how Netflow helps KPN and might the strengths of BGP Flowspec as a countermeasure help your organization with detecting and analyzing for DDoS attacks. With the BGP Flowspec protocol it is DDoS attacks and other kinds of malicious data traffic. possible to send a packet filter rule to a router via the However, Netflow offers more possibilities, like a feed to a routing protocol BGP. threat intel solution. This aids IT-security professionals in BGP or Border Gateway Protocol is the default routing the ability to correlate all kinds of data and information protocol which is used by ISPs everywhere on the internet with Netflow. Examples could be honeypotdata, IDS to exchange routing information. While this is normally a / IPS, malware domains, spam domain and results of manual action, propagating the packet filter can also be malware lab information that are all sent to a threat intel done automated. If the Netflow sensor is triggered by a solution. Netflow data is relatively easy to parse, opening raging torrent of packets, which is called a packet flood, up possibilities for data exchange with others. With this it can alert the IT-security professional, who is then able approach security professionals are able to send and to create an upstream filter to propagate to the edges receive indicators of compromise and can create scripts of the network. With this methods the ISP’s network is for monitoring and alarming. Ét voilá! protected, since the flood is stopped at the edges.

September 22 500 Million Yahoo OVH hit by 1Tbps DDoS. accounts breached. 48 | European Cyber Security Perspectives 2017

What you need to know about research in 2016 on human factor in cyber security

Dianne van Hemert, Carlijn Broekman, Helma van den Berg & Tony van Vliet, TNO

Organizations are increasingly aware that cyber will not only provide insights on potential victim security is not just about technology; even in this characteristics that should be further scrutinized, but technocratic domain the human factor maintains also on relevant topics that deserve more attention in the a crucial position. The human factor, however, is (near) future. intricate. Campaigns designed to change behaviors such as weak password selection or opening e-mail Method attachments from unknown senders often do not We searched for relevant articles in Scopus, a database have satisfying results 1. How to realize proper cyber- for scientific literature. Articles were selected based on behavior proves to be a challenge. On top of this, keywords3 related to victimization in the cyber domain. cyber criminals are creative and adapt their modus The keywords were based on a discussion between operandi to profit from weak spots in human behavior. domain experts and practical constraints such as the number of hits that could be processed. The search How does the scientific community deal with human resulted in 748 articles published in (inter)national factors in cyber security? We focus on a state-of-the-art journals. Relevance of each of the articles was determined in research on human factors of and victims by a scan of title and abstract. Articles with a focus on of cyber-attacks. In order to prevent individuals and thus human factors in cyber security were included for further organizations from becoming victims of cyber threats, analysis. This resulted in a subset of 107 articles. research needs to identify which (human) factors and particularly human behaviors foster becoming a victim of The subset was examined in detail for information on cyber criminality. This also includes circumstances in which human factors in cyber-attacks. During this examination they act. 43 articles were considered less relevant, mainly because their focus was on technological issues, and in This article shows the results of a recent literature review a few cases because the focus was on legislation. The of scientific literature published in 20162. This overview remaining 64 articles were analyzed, using an a priori

(1) Mohebzada, J. G., El Zarka, A., Bhojani, A. H., & Darwish, A. (2012). Phishing in a university community: Two large scale phishing experiments. In Innovations in Information Technology (IIT), 2012 International Conference on (pp. 249-254). IEEE. (2) Collecting articles was continued until October 13th 2016; articles published after October 16th are not included in this literature review. (3) (Vulnerab* OR victim*) AND (cyber OR online) AND NOT bully*, all in title, abstract and key words

September 29 Trend Micro releases report of Dresscode malware which was found in 400 apps on Google Play. European Cyber Security Perspectives 2017| 49

designed coding scheme, that was slightly modified after Mitigation having coded five articles. About half of all articles (53%) reported at least one way to mitigate the attack. Strategies mentioned vary from Results (awareness) training, to cyber hygiene, and from parental Despite carefully chosen keywords, our search resulted mediation to task design. The suggested mitigation in 64 relevant articles, out of the initial set of 748 strategies (21 unique suggestions) can be categorized in that focused on human factors in cyber security. The seven categories, by combining similar suggestions (e.g., remaining articles were either fully technological training, cyber awareness training and cyber education are oriented or generic, i.e., not focusing on human factors. categorized to education). The categories were the result of a bottom-up process of grouping similar mitigation Perpetrators strategies. Figure 2 reflects these categories, and the Not all articles mentioned a specific attacker type. Of the proportion ofMi#ga#on strategy times each category is mentioned. 55 that did, we found different types of attacks. These include harassment (32%), phishing (20%), theft (16%), injection (7%), personal contact (5%) and other methods (20%). educa&on task/process design warning The (human) focus of the attack(s) mentioned in technical tools the articles was mostly on end users (86%). Only 3% behavioural change also focused on attackers targeting IT-specialists. In tutoring addition, 5% of the articles focused on attackers targeting gaming organizations. The remainder (6%) did not describe a specific human focus. Of the 48 articles that discuss whether the attacker is outside or inside the organization, most refer to attackers Figure 2: Pie chart of the different mitigation strategies found for outside organizations (84%). Ten percent of these articles human factors in cyber security refer to an attacker inside the organization, and 6 % refer to both inside and outside the organization. An interesting question is whether articles mention different strategies to mitigate cyber threat (for Victims example, awareness training, technical interventions) As for the location of the cyber-attack, the literature depending on the vulnerability they find. Figure 3 shows shows that most studies did not mention or did not focus the relations between vulnerabilities and mitigation on location (69%). Internet usage at home was the focus strategies in a network visualization. Vulnerabilities are in 16%, and 12% focused on internet usage at the office. depicted in red, mitigation strategies are in green. Thicker 3% specified internet usage in the public space. arrows refer to more frequent relations. Many inferences Many vulnerabilities of individuals were found to be can be drawn from this network representation. Not only related to victimization of cyber-attacks. In total 85 is the most reported relation found between individual unique vulnerabilities were mentioned. These were vulnerabilities and behavioural change, but also the lack regrouped in 40 categories by combining related of relations is notable, for example between personal vulnerabilities (e.g. risk perception and perceived privacy characteristics and behavioural change. This implies that belong to ‘perception’). The word cloud in Figure 1 no articles in our database addressed both personality reflects the most predominant categories. Online activity and behaviour change. Also the amount and strength is the prime studied vulnerability (21%), followed by of outgoing or incoming relations is of importance. For perception (14%) and gender (6%). instance, contextual vulnerabilities are related to many mitigation strategies. And education is a mitigation strategy that is related to many vulnerabilities.

Figure 1: Word cloud of categorized vulnerabilities

Figure 3: Network representation of vulnerabilities and proposed mitigation strategies, with vulnerabilities depicted in red, and mitigation strategies depicted in green.

October 4 Yahoo found to be scanning all ‘customers’ e-mail for US intelligence. 50 | European Cyber Security Perspectives 2017

Discussion Interestingly, none of the articles related attacker We found that less than 10% of the articles, that surfaced method to specific vulnerabilities. Different attacking as a function of keyword-based search, actually focused methods may have different implications for different on human factors in cyber. This demonstrates that vulnerabilities. For example, extraversion might be although the human factor in cyber is recognized as an a vulnerability when it comes to social engineering important issue, it still deserves more directed attention. executed by a malicious attacker visiting an organization Our analysis of human factors of perpetrators show and having a chat with an employee, whereas impulsivity that in recent relevant studies there is an emphasis might be a more relevant vulnerability when it comes to on harassment as attack, and that the studies largely clicking on a malicious link. Not specifying the modus focused on end users, as opposed to organizations and operandi in a study might lead to missed results and IT-specialists. Most attention goes to attacks having hence to drawing incorrect conclusions. Following this an attacker from outside the organization. However, a line of thinking, it might be fruitful to match mitigation serious number of attacks is deployed by attackers that strategies to vulnerabilities. Future research should learn come from within the organization4, and the FBI stated whether this is a more effective and efficient strategy to this number is growing5. These results demonstrate that strengthen the human factor. in the near future more attention should go to attackers inside the organization. Finally, although many mitigation strategies are suggested or mentioned in the selected articles, these Location of the attack (for example, at work, at home, strategies are not often investigated. We suggest future in public) is often not included as a factor. However, research should focus on testing effectiveness of location is relevant, not only because risks may differ in mitigation strategies, in combination with identifying different locations, but the set of rules of behavior, among vulnerabilities in specific contexts. which internet usage, may differ at different locations. Future research can enrich the current literature by Our review showed that there is little attention for the focusing on location. human factor in scientific cyber security research. Characteristics of both perpetrators and victims are Many victim vulnerabilities have been identified in the under exposed, as well as the assessment of effectiveness literature, with online activity and perception as the two of mitigation strategies. In order to strengthen the most mentioned factors. However, when relating these human factor, aiming at the human factor to become to mitigation strategies in a network structure, we do the strongest force of the organization, more applied not find a strong relation between these vulnerabilities research focusing on the human factor is required. and one or more mitigation strategies, indicating that more attention in future research should go to tailoring mitigation strategies to identified vulnerabilities.

(4) 2016 Cyber Security Intelligence Index (5) Watkins, L., & Hurley, J. (2016, January). Enhancing Cybersecurity by Defeating the Attack Lifecycle. In 11th International Conference on Cyber Warfare and Security: ICCWS2016 (p. 320). Academic Conferences and publishing limited

October 10 Hackers disrupt operation of nuclear powerplant. European Cyber Security Perspectives 2017| 51

REDteaming @ KPN Mark de Groot & Sander Spierenburg, KPN

After three years of red teaming for KPN, we thought Not exactly. There is a great website about red teaming it would be a good time to evaluate what we have at http://redteamjournal.com. It has a section with the achieved, what we could have done better and, of “laws of red teaming” that is definitely worth checking course, to look ahead. out. Red teaming Law 15 perfectly reflects our experience over the past few years: After the hack of 2012, KPN’s new CISO put together the “REDteam” with two different tasks. Primarily, RTJ Red Teaming Law #15: The apprentice red the team functions as an in-house penetration testing teamer thinks like the attacker. The journeyman red team. Additionally, the REDteam performs red team teamer thinks like the attacker and the defender exercises, which are based on our assessment of current .The master red teamer thinks about the attacker and realistic threats. The goal of red teaming is to and defender thinking about each other. Hire an continuously assess the readiness of KPN to withstand apprentice to model an unsophisticated adversary. realistic scenario-based attacks. These scenarios can Hire a journeyman to model a sophisticated involve human, physical and technical elements. At the adversary. Hire a master to model the system. start of a red team exercise, we decide on whether we are going to simulate criminal activities, insider threats, state So in 2013 we were, roughly 7 guys of multiple disciplines actors, activism and/or corporate espionage. in a team eager to “own all the things at KPN”. We learned that not everybody was aligned with the definition and The REDteam consists of people with very different concepts of penetration testing and certainly not with backgrounds and areas of expertise. Some are relatively red team exercises. In traditional penetration testing the new to the organization and some have a long working scope and methods are mostly pre-defined, whereas history at KPN. This mix of people ensures we know a red team exercise exceeds those boundaries. Our enough of the organization, while having a good supply adversaries don’t abide by boundaries, so why should of fresh ideas. The technical backgrounds of the members we? We are the friendly adversary. We hack you and then also vary, ranging from a development background tell you about it. It’s important to understand that red to members that used to work in network and system team exercises still however follow a detailed plan, stay engineering. Some have hardware hacking experience within the law and are explicitly approved by our client, and others have social engineering experience. in this case our CISO.

When the REDteam started, red teaming was a fairly new The steps and rules of engagement concept in the telecommunications industry. Penetration How can you fit red teaming in a model and where do testing was more common and most of the people you start with a redteam exercise? We suggest that it can we met, thought of us as a penetration testing team, start at various levels. The levels determine how much somewhat similar to a quality assurance team. inside knowledge you need to have in order to perform

October 12 Data storage company Modern Business Solution leaks 58.8 million records. 52 | European Cyber Security Perspectives 2017

the exercise within a certain budget. Starting with zero knowledge is more expensive than starting form a trusted insider level.

These levels can be categorized into: • Level 1: Zero knowledge about the organization/ target; • Level 2: Limited knowledge about the organization/ target, the insider; • Level 3: Full knowledge about the organization/target, the trusted insider.

Physical Human Cyber Level 3 Trusted insider Trusted insider Trusted insider

Physical Human Cyber Level 2 Target Limited insider Limited insider Limited insider

Physical Human Cyber Level 1 Zero knowledge Zero knowledge Zero knowledge

(A red team exercise challenges a company on their After the initial level is determined, the attack will be physical, technical, and social defenses by simulating broken up into three stages. criminal activity, insiders, state actors, activism and/or • Stage 1 is Reconnaissance, Weaponization corporate espionage.) and Delivery. • Stage 2 is Exploitation and Installation. • Stage 3 Command and Control and Actions on the Target. The stages are based on Lockheed Martin’s Kill Chain and the REDteam’s “Dont’s” during a red team exercise. The table below describes the actions from the Kill Chain with the methodology we use:

Stage Action Methodology Stage 1 Reconnaissance Harvesting Email Addresses, Social Networking, Passive Search, IP Port Scanning Weaponization Developing Exploit with Payload Creation, Malware, Delivery systems, Decoys Delivery Spear Phishing, Infected Website, Service Provider, USB

Stage 2 Exploitation Activation, Execute Code, Establish Foothold, 3rd party Exploitation Installation Trojan or Backdoor, Escalate Privileges, Root Kit, Establish Persistence Stage 3 Command & Command Channel, Lateral Movement, Internal Recon, Maintain Persistence Control Actions on Expand Compromise, Consolidate Persistence, identify Targets, Data Ex-filtration Target

October 16 Sourcecode for Mirai botnet is released. European Cyber Security Perspectives 2017| 53

REDteam Don’ts What we have learned and improved During a red team exercise there is a possibility of equipment or systems being damaged. For example, From an organizational perspective: breaking in a door could permanently damage the lock. • We need to be able to determine when something is There are also types of damages that you would want to simply out of the ordinary and when is it an incident avoid, for example mentally traumatic experiences for • Constantly ask ourselves: “Are we monitoring the right any people involved. The minimum “don’ts” are, but not events?” limited to: • We need to reevaluate our threat landscape from time • Harm people physically and/or mentally to time and we need to have the right procedures in • Steal laptops from employees; place to identify the attackers in case of an incident • Activate fire alarms; • We constantly need to look for specific indicators of • Change valuable information on systems; compromise instead of digging through haystacks • Perform a (D)DOS on systems; • Only when the REDteam and the blueteam are • Access out of scope systems without playing the game, the security maturity level of an permission;Physically damage property/buildings; organization will grow.

Despite the defined scope of what the REDteam From a REDteam perspective: does and how, the role of the REDteam has changed • Use scenario’s that reflect real life situations only over time. We dug around, found vulnerability after • Only do exercises that benefit the organization vulnerability and took over system after system. As • Determine our strengths and weaknesses and profile we were the ones who found the vulnerabilities and these for certain scenarios. reported them, people turned to us for guidance • Develop advanced training plans based on your on how to fix them. The workload for our small weaknesses team became very high, when on top of extensive • Make sure you have the right tools for the exercise and red teaming we tried to help fix the issues. don’t be scared to improvise

KPN has a blue team too! For over 21 years, long before Our in-house REDteam is continuously finding new ways there even was a REDteam, KPN has had an incident to hack the organization, like a persistent adversary. response team called KPN CERT. This doesn’t mean This is what we do every day. This can cause apathy and that offloading it to them is going to help solving annoyance with management and operations alike. these issues sooner. A commonly heard comment is To the customer, a REDteam report often comes across “we know this already”. It’s our job to work together negative - as criticism of how they do their work, as delay with them to solve these issues. Not to do this by of a roll-out to fix blocking items, as extra costs that ourselves. We need to teach each other on tactics and weren’t budgeted. It is a challenge to create the mindset get better. It’s important to remember that it’s not within an organization that REDteam findings are a about proving the vulnerability, it’s about training service to the organization and its customers. With our the detection and response. A close interaction is model red teaming becomes more scalable for different needed between both the red and the blue team. types of organizations and budgets. The model gives clients the ability to choose a redteam exercise that fits within any budget.

After 3 years of red teaming we combined our knowledge and lessons learned into a red teaming model that fits many budgets and purposes. Since this year we can also perform commercial red team services. We encourage organizations to try red teaming instead of traditional pentesting to have another view on vulnerabilities within your organization.

October 21 DYN-DNS hit with DDoS forcing sites such as Netflix to go offline. 54 | European Cyber Security Perspectives 2017

Managing Mayhem Maarten Bodlaender, Philips

Mayhem is a computer AI specialized in fully AIs were tasked to autonomously generate autonomously hacking systems. Just let that sink in for a exploits and patches for provided binaries. moment... At the ‘Capture The Flag’ hacking competition during DEFCON 24, a computer running Mayhem Seven AIs participated, including the AI called Mayhem almost beat two of the world’s top human hacking teams. from start-up For All Secure. Mayhem won the finals, The Malware-as-a-Service industry will love automatic gaining the right to participate in the prestigious DEFCON exploit generation. Services, devices and software can be CTF tournament. This pitted Mayhem directly against bombarded by tailored attacks created by autonomous fourteen of the world’s best human hacking teams. robot software, almost immediately upon going live. In Chess and Go, computer AIs got stronger over the Hacking AIs are the natural evolution of pen testing years, eventually defeating all human world champions. tools, where binary analysis techniques like fuzzing A similar path can be expected for CTF tournaments, and symbolic execution are used to detect software and indeed Mayhem finished last, hampered by last- vulnerabilities. In the past years, white-box fuzzing tools minute compatibility issues. Even so, Mayhem proved like Sage have grown in sophistication, to the point where competitive. It seems only a matter of time until hacking DARPA felt that AI-controlled, fully automatic hacking & AIs are better & faster at hacking than human specialists patching might be in reach. (unless they have equally advanced tooling).

The DARPA Cyber Grand Challenge: hacking AIs High speed hacking In 2016, DARPA organized the finals of the The advantages of hacking AIs are their superior world’s first all-machine, no human, hacking speed and tireless approach to finding and exploiting tournament: the Cyber Grand Challenge. Computer weaknesses. They can analyze more code in less time

Fuzzing & symbolic execution

Fuzzing is a way to test programs by feeding them random, often invalid inputs. The program is then monitored for exceptions such as crashes. Fuzzing usually only finds simple faults, but is fast and generic.

Symbolic execution uses symbolic formulas to describe all possible inputs. It transforms formulas with each program step, thus determining dependencies between inputs, program steps and conditional branches. Symbolic execution is theoretically very powerful, but in practice quickly overwhelmed by path explosion in large programs.

The first hacking AIs seem to alternate these approaches in an attempt to mitigate the individual limitations.

October 28 US White House' unclassified computer network breached. European Cyber Security Perspectives 2017| 55

than humans can. Check out the following example from The secret number systems generated by the Private the contest: Arithmetic generator are based on table driven arithmetic that replaces traditional ring operations like 15:04 binary released additions and multiplications by other basic primitives. 15:34 first crash discovered by Mayhem These new operators use the underlying algebraic 17:00 reliable full exploit generated properties of the addition and multiplication in a ring to replace them by other operations in different algebraic Imagine your organization releases a new app in the structures. Addition and multiplication disappear. App store, and within 2 hours attackers have fully Therefore it is not possible for the attacker to study the automatically generated an exploit! Mayhem may just be arithmetical properties of these operators: they no longer a proof-of-concept on a toy system, but it is a wake-up exist in the code. They are replaced by new operators call that high-speed exploit generation is real. that can be customized to be no longer commutative or associative. Only the final result provides the correct Automated exploit detection tools solution to the sequence of operations. Equally powerful exploit detection needs to be part of the standard development cycle, to ensure that the code Designed to be difficult to reverse engineer, the Private contains no vulnerabilities that hacking AIs can exploit. Arithmetic generator is ideal to hide confidential Automated analysis of software for vulnerabilities is algorithms with their own number systems, and makes computationally intensive. The state-space of large it hard to determine which secret number system was programs is too large to exhaustively search, and hacking used by just scraping some data from memory. This gives AIs make heuristic choices to meet time constraints. hacking AIs a new challenge for every system they try to Different hacking AIs make different choices, and thus compromise, limiting the scale of their attacks. find different vulnerabilities. Even with vulnerability detection included in the development cycle, a different Security by design AI or human expert can often still find vulnerabilities. In summary, high speed hacking and high speed exploit generation by fully automated programs now Revisiting Kerckhoffs’s principle exists. Binaries that are publicly released like in app According to Kerckhoffs’s principles, a good stores will be automatically scanned for vulnerabilities. cryptographic system remains secure even if the enemy Organizations need to integrate security into their has a copy. Unfortunately, once hacking AIs like Mayhem development processes and software designs, to avoid get a copy, it can take them less than two hours to find being hacked directly upon product release by a diligent an exploit. As our ICT infrastructures are largely mono- AI. Philips is working on Private Arithmetic generators cultures, we typically copy the same binary on many that deprive hacking AIs from an easy input to work on. devices, making it easy to get a copy. Until vulnerability- free software can be created, most systems today are not meeting Kerckhoffs’s principles.

One way to address this problem is to ensure that all binaries are different, in a way that analyzing one binary doesn’t allow a hacking AI to create vulnerabilities for other binary. Experiences with diversification techniques like fine-grained address space layout randomization show that this complicates the work of attackers. However, many diversification techniques are defeated by exploits that manage to expose the run-time binary and/or find common aspects in the binaries.

Private Arithmetic Philips’ contribution to diversifying software at a fundamental level is to give each software instance its own private and secret number representation and corresponding calculation system. The software uses this secret number system for all calculations on sensitive data. The expectation is that symbolic execution on these systems will be impractical due to the complex data space. So-called Private Arithmetic generators are capable of generating a near infinite number of secret number systems, such that no two instances are alike.

October 30 Julian Oliver releases stealth IMSI catcher disguised as an office printer 56 | European Cyber Security Perspectives 2017

Internal Threat Management Nick Mann, Nick Mann Associates Ltd & Chairman of GSMA Fraud and Security Advisory Panel

Introduction Threat Assessment & Measurement History and recent surveys/statistics/cases teach us The starting point for improving the resilience of your the unpalatable truth that a frightening percentage of organisation to internal attack is to establish where high our employees, managers, senior executives and even threat potential exists. Thus it is essential to conduct a board members have the potential to go ‘bad’. If one asks comprehensive Internal Threat Review encapsulating the question: Which of the crimes that could affect my the exposure and management of all Fraud & Security business would be easier to commit from the inside? The issues across the business. Internal Threat Assessment & answer unfortunately, is: All of them! Measurement (ITAM) is a type of analytical measurement Belief and faith in those that work for you is vital and to approach designed to clearly determine where high be encouraged – unquestioning or blinkered trust is not. risk (Threat Quotient) posts exist within a business, Knowing your loyal staff and protecting them from the thus enabling true implementation of targeted and disloyal will reinforce that trust and ensure it is returned. proportional controls.

Cyber security seminars and conferences abound but ITAM style exercises identify threat types by role and sadly the human aspect of internal threat rarely features measure (in detail) their severity by examining all very prominently on the agendas. The focus seems elements of opportunity, ease/probability and impact. always to revolve around technical solutions when the issue is principally a people problem. We have yet to see All role types (and role type families) across the a case involving theft or manipulation of data perpetrated organisation should be identified with the assistance of by a machine. HR. A volunteer should be selected from each role type (or family) and they are then interviewed by experienced In this article we will examine and recommend threat management professionals. It should be clearly approaches to prevent, detect and deter this most explained to each interviewee that the interview is an insidious and serious business risk. objective examination of the threat potential of their role not about them personally. Once the interviewer has Note: There is a wide range of departmental structures established exactly how their role is performed and how within which the disciplines of fraud & investigations sit. it relates to other roles and parts of the business and the The merits or otherwise of which functions sit with whom controls to which it is subject, the interviewee is invited are not as important as the existence of a properly trained, to explore with the interviewer how someone with resourced and equipped fraud, security & investigative malicious intent could pose a threat to the business. function that has within its responsibilities all types of internal attack. For simplicity we will refer to this as the Fraud, Security & Investigations Function (FSIF) throughout.

November 7 11 Mirai Botnet found to Akamai publishes State of be fragmenting into Internet report discussing different botnets. Mirai botnet. European Cyber Security Perspectives 2017| 57

The roles are scored during this examination using the following methodology:

Internal Threat Quotient Scoring Mechanism: Role Opportunity A. Level of Authority B. Ability to Supervise C. Level of Supervision Imposed D. Access to Business Element (e.g. Systems, Network, Client Monies etc) E. Ability to Change, Divert or Manipulate that Element

Threat Reality A. Ease of Attack B. Detection Likelihood

Threat Impact A. Financial Effect B. Business Element Impact C. Damage Limitation / Recovery Possibility D. Client / Investor Confidence E. Market Reputation

Once the principle threat for that role has been determined* the above 12 elements should be scored individually within a designed range and a calculation algorithm applied to determine the Threat Quotient.

*External threats are included insofar as high internal collusion potential exists.

A simple ITAM type score sheet: Role Level of Ability to Level of Access to Ability to Total Results authority supervise supervision Business change, divert Score imposed Element or manipulate Threat Ease of Detection Totals + Results Attack Possible Threat Financial Business Damage Customer Market Totals X Results Effect Element Recovery / / Investor Reputation Impact Limitation confidence Total Threat Quotient

These threat types having been identified and measured, Motivation for Internal Attack the resilience of the organisation to such events and Motivation is never really considered when applying its ability to manage them is scrutinised. The resultant controls. This may be a mistake as there are certainly Threat Quotients give the principle threat and threat areas where understanding major attack causation could potential for each role type within the organisation and enhance objective prevention and detection as well as will determine exactly where and how you apply resource identify subjective predisposition to attack. to the controls we will discuss later. Studies that have examined the breadth or depth of Resource levels will determine where the high threat motivations or their potential relevance in internal fraud/ criticality line is drawn in the Threat Quotient scores but crime management are very rare. it would be prudent to ensure that at least the top 10 or 15% roles attract most attention in terms of controls in particular pre-employment security screening (vetting). Equally important to the objective determination of where threat potential lies is to examine why it may manifest itself.

PoisonTap device (Raspberry PI + PoisonTap software), when plugged into a PC, siphons cookies, exposes internal router & installs web backdoor on password locked computers.

November 13 16 412 million accounts of Variant of Mirai botnet takes 18+ dating sites from Friend 900K routers of Deutsche Finder Network INC are found Telekom offline. to be compromised. 58 | European Cyber Security Perspectives 2017

Types of Motivation: There are probably three major fields of motivation (with some cross over): 1. Greed 2. Need a. Debts (self inflicted) b. Debts (true necessity) c. Targets / Survival / Concealment of Error/ Deficit d. Coercion /Under Threat/ Blackmail/Kidnap e. Addictions: Alcohol, Drugs, Sex, Gambling f. Despair 3. Miscellaneous g. Malice / Revenge (Existing) h. Malice / Revenge (Responsive) i. Competitive Sabotage j. Peer (or Family) Pressure / Loyalty k. Psychological Problems l. Excitement / Entertainment / Self-Aggrandisement / Ego m. Idealism / Terrorism n. Stupid / Naive (i.e. no deliberate motive) o. Mole / Cell (i.e. only purpose to employment) p. Industrial Espionage q. Altruism – ‘Robin Hood’ syndrome

A lot of these are known to us and we will commonly see cases but it is worth recording some examples and explanations of the less obvious / common to illustrate that all are dangerous if ignored:

2d - a bank cashier helped thieves steal £150,000 after they threatened to uncover her as a bigamist

A finance director was convicted after stealing £85,000 by using the company credit card to fuel his sex addiction and pay for brothel visits and live internet sex shows. Thus falling into 2e category.

2f is separated from other compulsion and debt categories where, for instance, desperation for urgent costly medical attention, has driven otherwise honest individuals to commit crime. The prime characteristic of this motivation is that the money needed is usually the limit of the proceeds of the crime. As with many of the categories stated, there will be cross over between 2b & 2f but the latter is often a long term situation linked to a debt cycle and there is not normally a definite correlation of proceeds to need. There is also a similarity to2d , the delineator is that in 2f there is no malicious threat behind the need motivation.

3a, 3g, 3i are exemplified by the case where alleged terrorists were taped discussing ‘targeting utility companies by using recruits with inside knowledge to cut off electricity, water and gas power supplies across the country’. 3i has other recent public examples including employee/contractor placement to steal secrets from an electronics firm.

3d has a recent example of a mother who spent money stolen from her employers to “keep up with the Joneses” An unusual example of 2a and possibly 2e is the case of the employee who admitted stealing £200,000 from her employers to fund her purchase of 18 show-jumping horses. Probably the most famous examples of 2c is the Barings case as well as the more recent case of unauthorised trading by a French Bank trader, both with massive losses for their employers.

A personal assistant at an accountancy firm convicted of fraud after court heard that ‘she was obsessed with being the centre of attention’ and the judge said “You used the proceeds to buy friendship and affection”. This would appear to fall into the self- aggrandisement category of 3f.

3k is rare but there is a recent case where an individual gave part of the £370,000 proceeds defrauded from his employer, to charity.

November 22 Jill Stein asks for recount of Vulnerability in Realtek chip votes in Wisconsin due to fear allows headsets connected to of manipulation by hacks. compromised devices to be used as microphones. European Cyber Security Perspectives 2017| 59

candidates should be selected for such enhanced screening. A policy describing this commensurate Motivation Linkage: approach is required. It is possible to link most motivations under 4 main It is paramount that any vetting scheme is within the law Risk Factor Indicators (RFI’s): and based on 3 key principles: Financial – 1, 2a, 2b, 2e, 3c, 3j Compulsion – 2c, 2e, 2f, 3a, 3b, 3d, 3e, 3g, 3h • Voluntary: All applicants and potential applicants Secret / Embarrassment – 2d must be made aware of the level of screening from Illogical – 3f, 3i the stage of post advertisement onwards and their consent obtained either by inclusion in the Contract There are opportunities to detect these RFI’s in both of Employment or a separate document. The subject subjective and objective controls before and after may decline to offer such data or decline to obtain employment. such data; in this case the future of the recruitment or promotion process in respect of this individual must Making the connection between why employees attack be carefully considered us and applying controls respectively has to be more effective than simply having controls based on how • Open / Overt: The subject is entitled to know of the attacks are perpetrated. That said, this is not something existence and operation of the policy, the data sought that is likely to provide easy wins in the short term but and the sources used. Moreover, the subject must be what is certainly evident from above is that it warrants given the opportunity to answer/explain any ‘issues’ further study. discovered

Controls • Proportionate: The level and intensity of the Let’s take the most difficult and most important of these first: screening will be directly proportional to the criticality of the role concerned and be demonstrably Vetting (Pre- employment Security Screening) proportionate i.e. by application of the appropriate This is the principle tool in the internal threat prevention Threat Quotient level accorded and/or application armoury. Sadly it is rarely applied sufficiently or correctly. of role access levels as described in the Information Even those organisations that do apply vetting controls Classification Treatment control below. beyond asking for references usually do so in a very unscientific, costly and ineffective fashion where all roles The type and extent of checks you conduct will be are treated the same or checks levels are based on salary determined by the law in your country. There are some or seniority. Neither of the latter is particularly relevant in issues which should never form part of any screening e.g. determining which are key risk roles. ethnicity, sexuality.

To spot Risk factor Indicators (RFI’s) will necessitate In order to detect RFI’s we discussed earlier, it is detailed ‘checks’ and realistically we can only conduct important to ensure the following points are covered in a that level on a small percentage of roles. Thus it is vetting exercise: necessary to decide which posts have high risk or • Is their application real? criticality. The ITAM type process described earlier • Are their qualifications (if true?) consistent with their whereby we can measure attack opportunity, ease and career path to date impact for each role (or role family) is obviously perfect • Is what the subject does, or has done: for this purpose. It enables proportional (most common – A Secret (e.g. criminal record, a habit or extra- legal/regulatory test for ‘intrusive’ vetting) and targeted marital affair)? vetting controls based on the Threat Quotient scores – Expensive to them? determined for each role. – A risk because of how often or how much they do it? – Embarrassing if revealed / discovered? Vetting is a huge subject in itself and it is important to – A risk to them or anyone else? understand the legalities within your jurisdiction. A hierarchical (related to criticality/Threat Quotient) system of vetting should be introduced for those roles which represent high internal threat potential and such roles should be subject to enhanced checks (see below). If there are high Threat Quotient roles requiring enhanced checks that have unmanageably high intake numbers (e.g. Customer Services), random sample

Google releases public fuzzing tool OSS-Fuzz.

December 1 Vulnerability in Realtek chip Avalanche crime ring taken FBI gains power to hack allows headsets connected to down by international law systems nationally and compromised devices to be used enforcement agencies. internationally. as microphones. 60 | European Cyber Security Perspectives 2017

It is not only possible to screen for motive presence but Reporting & Detection also feasible to discover any propensity or capability We have examined the RFIs that may exist in the subjective for fraudulent/criminal activity. The Key is to look for sense related to an individual’s motivation. Such the unusual or the inexplicable. The analysis for RFI’s indicators do, of course, also exist in the data we hold, must take into account all subjective as well as objective produce or process. factors e.g. too much money can be as much an RFI as too little and one man’s gambling addiction is another’s There have been normal business fraud enquiry tools hobby. An example: for internal fraud in existence for some time but it is only in the last few years that we have started to • A £100 a week gambling habit may well pose a risk see the emergence of data engines that monitor for for a clerk who is only to earn £20k pa (possible and detect such issues. Advances in accessible data addiction) warehousing and the emergence of ‘big data’ have • It is not a risk for a Director who is to earn £100k pa opened up possibilities and exciting work is going on (probably more a hobby) – unless….. in development to use big data with prescriptive and • He has kept it a secret from his wife?!! descriptive analytics.

NB. Such detailed (Gold Standard) Screenings must be Nevertheless the fact remains that, unless controls are conducted by experienced very mature, a large proportion of internal attack is investigators. This is particularly important in the detected by reports from other employees. interviews and analysis of data e.g. As such this route must be protected, nurtured and bank accounts. developed. There are a couple of simple actions that will dramatically enhance this invaluable intelligence / It is not feasible to spot some motivations prior to evidence source: employment often because this is a first time offence and the employment is itself causal to the Motivation 1. Duty to Report Policy & Process (3a above) and presents the opportunity and, if This should make itmandatory for all staff to report necessary to the miscreant, the rationalisation. Almost all suspicions of dishonesty, malpractice or security motivations would become ‘vettable’ if we applied repeat compromise to the FSIF. This is separate to any whistle- vetting (on High Risk posts). Repeat vetting would be blowing process but can be made part of it. Thus whistle- particularly successful if linked with Fraud Monitoring / blowing becomes mandatory not merely voluntary and Detection and other objective post employment controls. the employee is encouraged to make the report to the Whether the motivation or RFI is ‘vettable’ or not – all FSIF (anonymously if they wish). The ‘Duty to Report’ motivations and the resultant product, are controllable. should be included in induction training along with fraud Moreover, it should now be obvious that each control & security awareness and all staff and newcomers should is better applied with knowledge of the range of be made to sign as part of their Contract of Employment. Motivations and their RFIs. 2. Investigative Engagement Policy & Process The lines between evidence collection and disciplinary action are often confused within organisations. Thus Some other controls not mentioned elsewhere: only appointed and trained investigations staff (i.e. FSIF) Education and Training – Security Awareness should conduct internal investigations. There should be Programme no line management or HR participation or interference Communication and Intelligence in evidence collection or interview process. This is to Audit Trails, Logs and Reconciliations ensure integrity of evidence collection, independence Access (Logical & Physical) Controls – particularly and to remove any possibility of conflict of interest. for High Risk Posts Moreover, it engenders trust in the staff that their concern Complete Range of ICT Security Policies will be handled by professionals who will provide Information Classification & Treatment protection for the ‘whistleblower’. Similarly, investigators Foster Good Industrial Relations should not be involved in the disciplinary process Realistic Target Programmes (including disciplinary or exit interviews) or decision on Measurement, Reporting & Sharing punitive action. Investigators should only participate in Segregation and Compartmentalisation any recommendations on likely success of prosecution or necessity for police involvement. It is imperative that the FSIF investigators are given this investigative mandate which should be endorsed by the Chief Executive / President / Chairman.

December 6 9 IBMs Watson is being used to Netgear routers are found prevent cybercrime in finance vulnerable to arbitrary and healthcare. command injection. European Cyber Security Perspectives 2017| 61

Note: The role of Internal Audit is sometimes given the cooperation and acceptance from any one of the main role of investigator in ‘normal business fraud’. This is not functional directorates, if part of another ideal and can be a source of confusion where a Fraud • To enable objectivity of engagement across all units & Investigation function exists. Whoever is given the of the business and to be listened to, respected and responsibility it should be clear what ‘investigation’ means trusted, it must be seen to have no alternative interest i.e. the collection of admissible evidence, and the requisite or agenda other than its own objectives training given and expertise recruited. Certainly the 2 • Internal security and investigations can be centred on functions are necessarily symbiotic. any function at any rank – investigating one’s manager or colleague is neither practical nor desirable. This is Often staff state during reviews that they would have more likely in a functional directorate such as Finance, reported previous internal incidents had the above Technology and Customer Services, as these are where policies and facilitation been in place. Moreover, where the most opportunities for internal compromise exist such policies have been introduced there has been a • Some functional directorates may be more significant rise in the number and quality of such reports. problematic than others in terms of achieving the objectives with applicable and relevant KPI’s: -

• Finance: Response, Investigations & Deterrent – Less understanding of the unquantifiable value • The objectives of any investigation should be: of deterrent and prevention and reliance on • To provide a deterrent fraud figures/percentage when low figures can • Collect admissible evidence & ensure the mean either excellent Fraud Management or, as integrity of same likely, failure to detect • To recover any lost assets, monies – Lack of understanding of non-financial threats, • Inhibit or stem any further losses impacts or losses • Minimise disruption to business – Financial Reporting Fraud conflict • Defend business reputation & retain customer • Technical: and investor confidence – Over reliance on technical solutions and • Prevent/reduce harmful effect on staff morale defences • Enact immediate operational damage – Lack of understanding of non-technical attacks limitation Hence there is a necessity for independence from these directorates. Options include: direct report to CEO / Report Lines President / Chairman, Legal & Regulatory Director, Because of the possibility of investigation of Senior Company Secretary or possibly even a Non-Executive Management and the Executive / Board itself as well as Director or the Audit Committee. other key directorates such as the Finance department, it is important to give some thought as to the report lines of It is also key to the success of any FSIF, that their direct the Fraud, Security & Investigation function (FSIF). The report should be one who personally has empathy for the key objective here is autonomy (as well as the mandate/ work in which they are engaged. authority discussed earlier). Future As such it is important for the FSIF to have a Unquestionably the greater development of ‘big data’ non-functional (i.e. not one of the key business functions internal fraud detection engines coupled with more focus such as Finance, Technology, Customer Services) report on predictive behaviour linked to Risk Factor Indicators, line for the following reasons: will have a dramatic impact on early detection capability but we must have the resources, expertise, ability and • Many aspects of its work are, of necessity, across all desire to respond and manage the product. elements of the business. Thus being owned by any functional directorate is not beneficial in gaining

This article is an abridged, updated and amended version of ‘Internal Threat’ a chapter contribution by Nick Mann to the book: ‘Demystifying Communications Risk’ – M Johnson - published by Gower Publishing.

Secure the News produces a list grading the quality of HTTPS implementations of news sites

December 13 15 Popcorn Time ransomware will Hackers breach give decryption key if you get a billion Yahoo two other people infected. accounts. 62 | European Cyber Security Perspectives 2017

Every CERT must continue to train Wesley Post, KPN

Working in a Computer Emergency Response Team Educate (CERT) requires a lot of skills and expertise. Some are Educate (Opleiden, the first O in OTO). The goal is to technical like hacking techniques or forensic research. increase the knowledge level of the CERT members. To Some are more ‘soft’ skills like communication, or writing decide which education is needed we first determined an article for an annual report. Often these skills are a baseline of knowledge and skills required for CERT needed in different situations and stress levels. team members. Since each team member will have a different level to start with, individual choices are made It is important to be prepared for everything that needs to determine which trainings are required to grow to the to be handled by a CERT. Since this is quite a broad desired level. spectrum of activities the only way to keep the skills on the right level is to share knowledgeand perform Examples of trainings are the SANS trainings like GIAC exercises on a regular basis. Within KPN-CERT we use exams/certifications for incident handling and forensics OTO for that. or the python programming language.

Introduction Train OTO is short for Opleiden, Trainen, Oefenen. Those are Training (the T in OTO) is used to share knowledge Dutch terms that roughly translate to Educate, Train and which is already available within the team. Since each Exercise. OTO is a term which has its origins in public team member has a different (professional) background emergency organisations like the fire department or we all bring our own specific knowledge. Of course it ambulance service. In those organisations OTO is used is useful to share this knowledge with the rest of the on a regular basis to exercise emergency situations as team and benefit from this. This is usually done in short realistic as possible. In this way fireman or ambulance sessions, generally an afternoon, where a team member staff are prepared for a real-life emergency situation when tells about a subject and combines that with some it occurs and know what to do in these kind of situations. hands-on practice. From KPN-CERT we see a large overlap between the Examples of knowledge sharing sessions we had so far: public emergency services and the role of a CERT within Malware analysis, hacking and in-depth networking. a company. In both cases teams need to know what to do and need to make decisions in a stressful situation with little or no time having only their knowledge and experience as their guide since every situation is different.

December 21 27 Signal fights censorship Carrie Fisher dies. using domain fronting. European Cyber Security Perspectives 2017| 63

It’s important to be prepared for everything that needs to be handled by a CERT. Since this is quite a broad spectrum of activities the only way to keep the skills on the right level is to share knowledge and perform excercises on a regular basis.

Exercises Example year plan Exercises (Oefenen, the second O in OTO) are used to This is an example of a generic year plan. You can clearly actually practice common situations to make sure we see the focus on technical exercises (practice) and are prepared for them when they happen in real life. knowledge sharing (training). The most common thing we do for practice are forensic challenges. The field of forensics is overwhelmingly Month Activity huge. It is simply impossible to know everything. What we can do is practice situations where we want to build 1 Technical exercise or maintain capabilities. In our case this includes disk, 2 Knowledge sharing network and embedded device forensics. 3 Technical exercise

Besides these technical subjects this can also include 4 Scenario exercise practicing a process with a tabletop or an actual 5 Knowledge sharing simulation of an emergency situation. In time these types 6 Technical exercise can vary from a few hours up to a few days. 7 No activity due to summer holidays Being a CERT we can not afford to have the team completely unavailable because of an OTO session, so 8 Knowledge sharing any session lasting longer than a few hours will have to 9 Technical exercise be done multiple times so the team can be split over de 10 Knowledge sharing different sessions. 11 Tabletop exercise Since we have just started with OTO we did not have a 12 Technical exercise exercise session yet but plans include Major Incident response and DDoS mitigation. Conclusion Two step planning In the end OTO takes a lot of time, from the whole team Actually planning the sessions turned out to be a during the sessions, but also the time to prepare them. two-step process. The first step is to have a generic year And is it worth it? Yes, I think it is. Keeping our knowledge plan. In our case a month-by-month planning stating and experience up-to-date is essential for a CERT and the what type of OTO we want to do. This can be a forensics OTO sessions are highly valued by the team members. challenge, training, a tabletop exercise or a simulation. The specific contents are not yet defined at this stage.

Defining the specifics of each session is a continuous process throughout the year. This is where topics are chosen, challenges selected and the actual session is Answers puzzles planned. This is usually done a few months ahead to 1) Some text looks like art allow the leader of the session to do preparations. These preparations range from creating a presentation to testing 2) This text may not look like art but it does the challenge. do a good job in looking nerdy 3) This is all about the art of deception The tabletop and simulation practices need a bit more time to prepare, in these cases half a year should be considered as a minimum.

December 29 Grizzly Steppe report is released by DHS and FBI. Overview contributing partners

Europol is the European Union’s law enforcement agency1. As KPN is the largest telecom and IT service provider in the such it acts as an information and criminal intelligence hub for Netherlands. Our network is Dutch to the core. We have a the national law enforcement authorities in the 28 EU Member clear mission – to help the Netherlands move forward through States and as a coordination platform for joint operations. that network. Europol’s main objective is to support and assist Member States We believe in a society in which communication technology in their efforts to prevent and combat organised crime, terrorism makes life richer, easier and fuller. KPN wants to be the unifier of and other forms of serious crime. that society, for people and companies. At home, at work and on The European Cybercrime Centre (EC3), officially established the move. We have the resources, and the technology and the in January 2013 as one of Europol’s operational centres2, reliable fixed and mobile networks. provides operational, analytical and strategic support to EU law We use our knowledge and experience to make our services and enforcement in combatting cybercrime: committed by organised products accessible for everyone, anytime, anywhere. We fulfill groups to generate large criminal profits such as online fraud; people’s expectations, but we also achieve the unexpected. KPN causing serious harm to the victim such as online child sexual believes in technology, in the power of communication and in exploitation; affecting critical infrastructure and information the power of connection. We are the network that enables the systems in the EU, including cyber-attacks. This includes support Netherlands to move forward. for large-scale, multi-national operations with international partners, leveraging and streamlining existing capacities through Europol’s existing infrastructure and law enforcement network with EU and non-EU law enforcement agencies, industry, the financial sector and academia.

1. https://www.europol.europa.eu/ The National Cyber Security Centre (NCSC), in collaboration with 2. https://www.europol.europa.eu/about-europol/european-cybercrime-centre-ec3 the business community, government bodies and academics, is working to increase the ability of Dutch society to defend itself in the digital domain. The NCSC supports the central government and organisations with a vital function in society by providing Deloitte provides audit, tax, consulting, and financial advisory them with expertise and advice, threat response and with actions services to public and private clients spanning multiple to strengthen crisis management. In addition, the NCSC provides industries. With a globally connected network of member firms in information and advice to citizens, the government and the more than 150 countries, Deloitte brings world-class capabilities business community relating to awareness and prevention. The and high-quality service to clients, delivering the insights they NCSC thus constitutes the central reporting and information need to address their most complex business challenges. Deloitte point for IT threats and security incidents. The NCSC is part of has in the region of 200,000 professionals, all committed to the Cyber Security Department of the National Coordinator for becoming the standard of excellence. Security and Counterterrorism.

The Dutch National High Tech Crime Unit (NHTCU) was Founded in 2001 as a spin-off of the Group of Applied Physics founded in 2007 as a response to the rise of organised and of the University of Geneva, ID Quantique (IDQ) is the world technically advanced online criminality. Since then the NHTCU leader in quantum-safe crypto solutions, designed to protect has grown from a small pioneers team to a professional data for the future. The company provides quantum-safe unit with 120 officers, maintaining its agility to adapt to network encryption, secure quantum key generation and technological and criminal developments. The mission Quantum Key Distribution solutions and services to the financial of the unit is to use novel and collaborate investigation industry, enterprises and government organisations globally. techniques in order to combat high-tech crime and new IDQ’s quantum random number generator has been forms of cybercrime. The unit focuses on serious organised validated according to global standards and independent crime and crime targeting vital national infrastructure. agencies, and is the reference in highly regulated and The NHTCU is embedded within the National Criminal mission critical industries - such as security, encryption Investigation Division of the Dutch National Police. It and online gaming - where trust is paramount. cooperates closely with other specialised teams within IDQ’s products are used by government, enterprise and academic the National Police, with its foreign counterparts and with customers in more than 60 countries and on every continent. As many public and private partners in order to be optimally a privately held Swiss company focused on sustainable growth, equipped to help keeping the Netherlands cyber-safe. IDQ is proud of its independence and neutrality, and believes in establishing long-term and trusted relationships with its customers and partners. For more information, please visit http://www.idquantique.com/.

Bits of Freedom is the leading Dutch digital rights organisation, focusing on privacy and communications freedom in the digital age. Bits of Freedom strives to influence legislation and self-regulation, on a national and Royal Philips (NYSE: PHG, AEX: PHIA) is a leading health a European level. Bits of Freedom is one of the founders technology company focused on improving people’s health and a member of European Digital Rights (EDRi). and enabling better outcomes across the health continuum from healthy living and prevention, to diagnosis, treatment and home care. Philips leverages advanced technology and deep clinical and consumer insights to deliver integrated solutions. Headquartered in the Netherlands, the company is a leader in diagnostic imaging, image-guided therapy, patient monitoring and health informatics, as well as in consumer health and home care. Philips’ health technology portfolio generated 2016 sales of EUR 17.4 billion and employs approximately 71,000 employees with sales and services in more than 100 countries. News about Philips can be found at www.philips.com/newscenter. Accenture is a leading global professional services company, providing a broad range of services and solutions in strategy, At PwC, we see cyber security and privacy differently. We don’t consulting, digital, technology and operations. Combining just protect business value; we create it—using cyber security unmatched experience and specialised skills across more and privacy as a tool to transform businesses. By bringing than 40 industries and all business functions – underpinned together capabilities from across PwC, we seek to understand by the world’s largest delivery network – Accenture works at senior leaders’ perspectives on cyber security and privacy in the the intersection of business and technology to help clients context of strategic priorities so they can play a central role in improve their performance and create sustainable value business strategy. By incorporating tactical knowledge gathered for their stakeholders. With approximately 384,000 people from decades of projects across industries, geographies, serving clients in more than 120 countries, Accenture drives programs and technologies, PwC can create and execute holistic innovation to improve the way the world works and lives. start-to-finish plans. Visit us at www.accenture.com

Zimperium® is the industry leader in Mobile Threat Defense, providing enterprise class protection for mobile devices against the Check Point Software Technologies Ltd. (www.checkpoint.com) next generation of advanced mobile cyberattacks and malware. is the largest network cyber security vendor globally, providing Zimperium is the first and only company to provide a complete industry-leading solutions and protecting customers from on-device Mobile Threat Defense system providing visibility, cyberattacks with an unmatched catch rate of malware and security and management for iOS, Android and Windows devices. other types of threats. Check Point offers a complete security With its unique behavior-based non-intrusive approach, mobile architecture defending enterprises – from networks to mobile user privacy is protected at all times. Zimperium’s MTD solution devices – in addition to the most comprehensive and intuitive protects mobile devices for any size enterprise (B2B), or large- security management. Check Point protects over 100,000 scale consumer uses (B2C). organizations of all sizes.

Kaspersky Lab is a global cyber security company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions The GSMA represents the interests of mobile operators and services to protect businesses, critical infrastructure, worldwide, uniting nearly 800 operators with almost 300 governments and consumers around the globe. The company’s companies in the broader mobile ecosystem, including handset comprehensive security portfolio includes leading endpoint and device makers, software companies, equipment providers protection and a number of specialised security solutions and and internet companies, as well as organisations in adjacent services to fight sophisticated and evolving digital threats. Over industry sectors. The GSMA also produces industry-leading 400 million users are protected by Kaspersky Lab technologies events such as Mobile World Congress, Mobile World Congress and we help 270,000 corporate clients protect what matters Shanghai, Mobile World Congress Americas and the Mobile 360 most to them. Series conferences. Learn more at www.kaspersky.nl

TNO, The Netherlands Organisation for Applied Scientific Nick Mann Associates Ltd is a specialist Threat Management Research, is one of Europe’s leading independent Advisory Service. Nick himself has spent over 40 years in Fraud R&D organisations. TNO is not for profit and operates & Security including senior roles in The Stock Exchange and independently and objectively. Its unique position Vodafone (Global Director). He is now Chairman of the GSMA is attributable to its versatility and the capacity to Fraud & Security Advisory Panel. integrate knowledge across specialist disciplines. The length and depth of Nick’s experience gives him unparallelled TNO innovates for a secure cyberspace and provides cyber access to a large range of consultants within the complete range security research, development, engineering and consultancy of Security & Fraud disciplines and the expertise to match those services to government and industry. Customers include Associates to the exact client needs. Dutch government departments and private sector companies www.nickmannassociates.com across Europe, including many providers of national critical infrastructure (a.o. in telecoms, finance and energy). TNO is an active member of numerous cyber security partnerships, including the European Network for Cyber Security (ENCS), the Hague Security Delta (HSD) and the EU NIS platform. TNO was part of the core team that formulated the Dutch National Cyber Security Strategy (NCSS) II and was one of the lead authors of the Dutch National Cyber Security Research Agenda (NCSRA) II. www.tno.nl

European Cyber Security Perspectives 2017 was produced and published by KPN, © 2017, All rights reserved.